[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 551/03 - CIAC - ProFTPD ASCII File Remote Compromise Vulnerability, OpenSSH PAM challenge authentication failure, Portable OpenSSH server PAM Vulnerability + Sendmail 8.12.9 Prescan Bug



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 551/03 dated 02.10.03  Time: 10:34
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Four CIAC Security Advisories:

1: ProFTPD ASCII File Remote Compromise Vulnerability

2: OpenSSH PAM challenge authentication failure

3: Portable OpenSSH server PAM Vulnerability

4: Sendmail 8.12.9 Prescan Bug

Detail
====== 

1: ProFTPD ASCII File Remote Compromise Vulnerability

*** BEGIN PGP VERIFIED MESSAGE ***


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

               ProFTPD ASCII File Remote Compromise Vulnerability


September 30, 2003 13:00 GMT                                     Number N-156
______________________________________________________________________________
PROBLEM:       A flaw in the ProFTPD Unix FTP server ASCII file upload 
               component can cause a buffer overflow and give a remote 
               intruder root access. 
PLATFORM:      ProFTPD 1.2.7, 1.2.8, 8rc1, 8rc2, 9rc1, 9rc2 
DAMAGE:        A buffer overflow and give a remote intruder root access. 
SOLUTION:      Apply patch for the ProFTPD vulnerability. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. A remote intruder can get root access if 
ASSESSMENT:    anonymous uploading is allowed. Authenticated users can get 
               root if anonymous ulploading is not allowed. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-156.shtml 
 ORIGINAL BULLETIN:  http://xforce.iss.net/xforce/alerts/id/154 
______________________________________________________________________________



*** END PGP VERIFIED MESSAGE ***

2: OpenSSH PAM challenge authentication failure

*** BEGIN PGP VERIFIED MESSAGE ***


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

               CERT: OpenSSH PAM challenge authentication failure
                         [Vulnerability Note VU#602204]

September 30, 2003 18:00 GMT                                      Number N-157
______________________________________________________________________________
PROBLEM:       A vulnerability in the challenge authentication code of the 
               Portable OpenSSH server when using the SSHv1 protocol and 
               Pluggable Authentication Modules (PAM), could permit a remote 
               attacker to log in to the system as any user, including 
               potentially root, without using a password. 
PLATFORM:      OpenSSH 3.7.1p1 (portable) 
DAMAGE:        A remote attacker could potentially log in to the system as any 
               user, including root, using a null password. 
SOLUTION:      Change the config file or apply upgrades. 
               (Note--changing the config file fixes the CIAC N-158 CERT
               Portable OpenSSH server PAM conversion stack corruption.) 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. It is possible for an attacker to log in to 
ASSESSMENT:    the system as any user, including potentially root, without 
               using a password. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-157.shtml 
 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/602204 
______________________________________________________________________________



*** END PGP VERIFIED MESSAGE ***

3: Portable OpenSSH server PAM Vulnerability

*** BEGIN PGP VERIFIED MESSAGE ***


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                  CERT: Portable OpenSSH server PAM Vulnerability
                         [Vulnerability Note VU#209807]

September 30, 2003 18:00 GMT                                      Number N-158
______________________________________________________________________________
PROBLEM:       A vulnerability in the Portable OpenSSH server that may corrupt 
               the PAM conversion stack. 
PLATFORM:      OpenSSH 3.7.1p1 (portable) 
DAMAGE:        The complete impact of this vulnerability is not yet known, but 
               may lead to privilege escalation, or a denial of service. 
SOLUTION:      Change the config file or apply upgrades. 
               (Note--changing the config file for CIAC N-157 CERT OpenSSH 
               PAM challenge authentication failure, fixes this.) 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The complete impact of this vulnerability 
ASSESSMENT:    is not yet known, but may lead to privilege escalation, or a 
               denial of service. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-158.shtml 
 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/209807 
______________________________________________________________________________




*** END PGP VERIFIED MESSAGE ***

4: Sendmail 8.12.9 Prescan Bug

*** BEGIN PGP VERIFIED MESSAGE ***


CIAC Bulletin N-149 has been updated to now include an additional link to 
the SGI Security announcing they have released updated packages for
IRIX 6.5.22 or patches 5325 and 5326.

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                          Sendmail 8.12.9 Prescan Bug
                             

September 17, 2003 17:00 GMT                                      Number N-149
[REVISED 22 Sept 2003]
[REVISED 23 Sept 2003]
[REVISED 26 Sept 2003]
[REVISED 30 Sept 2003]
______________________________________________________________________________
PROBLEM:       A buffer overflow has been discovered in Sendmail version 
               8.12.9 that could be remotely exploited to give an intruder 
               remote access to a system. 
PLATFORM:      Sendmail 8.12.9 and earlier
               Hewlett Packard HP-UX B.11.00, B.11.04 (VVOX), B.11.11, B.11.22 
               Mac OS X versions prior to 10.2.8
               IRIX 6.5.22 or patches 5325 and 5326
DAMAGE:        An intruder could get remote access to a system. 
SOLUTION:      Install Sendmail 8.12.10 available from www.sendmail.org.
               Download and install appropriate files from Hewlett Packard and 
               Apple.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. We have not seen an exploit for this 
ASSESSMENT:    vulnerability. This vulnerability could be exploited to give an 
               intruder root access to a system. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-149.shtml 
 ORIGINAL BULLETIN:  http://www.sendmail.org/8.12.10.html 
 ADDITIONAL LINKS:   Visit HEWLETT PACKARD Subscription Service for:
                     HPSBUX0309-281 (SSRT3631)
					 
                     CERT Advisory CA-2003-25
                     http://www.cert.org/advisories/CA-2003-25.html
					 
                     Apple Security Advisory - Mac OS X 10.2.8 (APPLE-SA-2003-09-22)
                     http://net-security.org/advisory.php?id=2546
                     http://docs.info.apple.com/article.html?artnum=61798
					 
                     RedHat Advisory RHSA2003:283-09
                     https://rhn.redhat.com/errata/RHSA-2003-283.html

                     SGI Security Advisory 20030903-01-P
                     http://www.sgi.com/support/security/ 
______________________________________________________________________________



*** END PGP VERIFIED MESSAGE ***

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of CIAC for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP3vww4pao72zK539AQGiCgQAhcZIkELMrFzfpVgmsPedRpcLjC5pLdLx
AjFTbD21Rtle18fcwZeCDweZpr8jWBLZ/aXvW1UYrjqzZN4kiXbfHducTCtnqW17
FMhFlKLL2pJy4FQMTl+NB0/AIla7LVdH0o7Cr8YOkmbVoY5+Yn78ii0TJkvjs8T7
kEsJx3IMgcg=
=HZ24
-----END PGP SIGNATURE-----