Search This Blog

Monday, August 01, 2005

Cisco IOS exploit available

NETWORK WORLD NEWSLETTER: JASON MESERVE'S VIRUS AND BUG PATCH
ALERT
08/01/05
Today's focus: Cisco IOS exploit available

Dear security.world@gmail.com,

In this issue:

* Patches from Gentoo, Debian, KDE, others
* Beware new Trojan that infects .exe files on the target
  machine
* Black Hat event highlights RFID and VoIP security threats
* Links related to Virus and Bug Patch Alert
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Avocent
Network World Executive Guide: Reviewing Trends and Insights for
SMB Executives

Life is different for IT professionals at small and mid-sized
businesses, which don't have the luxury of hiring legions of
network experts. Read how network executives are keeping a firm
footing on an ever-shifting product landscape. Learn about
trends and insights surrounding VoIP and VPNs; plus get
commentaries from leading experts on storage strategies for
smaller businesses.
http://www.fattail.com/redir/redirect.asp?CID=109169
_______________________________________________________________
CAN'T STAND THE HEAT?

Neither can your servers. Having dense servers means more heat
and more power consumption in smaller spaces. Find out why just
adding more air conditioners won't cut it and what you need to
do to stay cool this summer... and beyond. Click here:
http://www.fattail.com/redir/redirect.asp?CID=109069
_______________________________________________________________

Today's focus: Cisco IOS exploit available

By Jason Meserve

Despite a legal settlement between Cisco and security research
Michael Lynn over any future disclosure of an exploit for the
IOS operating system that runs many Cisco routers, the exploit
has become public:

Cisco vulnerability posted to Internet, 07/29/05
<http://www.networkworld.com/nlvirusbug4124>

Cisco advisory:
<http://www.networkworld.com/nlvirusbug4125>

CERT advisory:
<http://www.us-cert.gov/cas/techalerts/TA05-210A.html>

While a patch is available that would render the exploit
useless, installing the update on a router is not as easy as
updating a Windows machine with the latest Microsoft update,
says Network World Test Alliance member Rodney Thayer. Meaning
there could be a many routers out there that could be affected.
You can hear more of my conversation with Thayer here:
<http://www.networkworld.com/research/2005/0801radio.html>

Other related IOS/Lynn stories:

Researcher at center of Cisco router-exploit controversy speaks
out, 07/28/05
<http://www.networkworld.com/news/2005/072805-lynn.html>

Cisco, ISS, Michael Lynn and Black Hat sign legal accord,
07/28/05
<http://www.networkworld.com/nlvirusbug4126>

Today's bug patches and security alerts:

NGSSoftware warns of HP OpenView Radia Management Agent flaw

According to an advisory from NGSSoftware, "By connecting to the
TCP port and sending a crafted packet, it is possible to
traverse out of C:\Program Files\Novadigm (the apparent working
directory) and run any executable that is located on the same
logical disk partition, in this case the C: drive." For more, go
to:
<http://www.ngssoftware.com/advisories/hpovrma.txt>

HP advisory:
<http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138>
**********

Gentoo patches MediaWiki

A cross-scripting vulnerability has been found in MediaWiki, a
collaborative editing tool. An attacker could exploit this to
run arbitrary JavaScript code on the affected machine. For more,
go to:
<http://security.gentoo.org/glsa/glsa-200507-18.xml>

Gentoo upgrades sandbox

The way temporary files are created by sandbox could be
exploited by a local user to overwrite arbitrary files with root
privileges. For more, go to:
<http://security.gentoo.org/glsa/glsa-200507-22.xml>

Gentoo releases Ethereal update

A number of flaws have been found in the popular protocol
analyzer. A fix is available. For more, go to:
<http://security.gentoo.org/glsa/glsa-200507-27.xml>
**********

Debian issues fix for cacti

Several flaws have been found in Cacti, a database tool. The
most serious of the flaws could be exploit to run malicious code
on the affected machine. For more, go to:
<http://www.debian.org/security/2005/dsa-764>

Debian patches phpbb2

According to a Debian advisory, "A cross-site scripting
vulnerability has been detected in phpBB2, a fully featured and
skinneable flat webforum software, that allows remote attackers
to inject arbitrary web script or HTML via nested tags." For
more, go to:
<http://www.debian.org/security/2005/dsa-768>

Debian updates Webcalendar

A flaw in the Webcalender authorization module could allow
unauthorized parties to view calendar data. For more, go to:
<http://www.debian.org/security/2005/dsa-766>

Debian releases gaim fix

A new update for Gaim, an open source instant messaging client,
fixes a potential denial-of-service vulnerability. For more, go
to:
<http://www.debian.org/security/2005/dsa-769>

Debian patches gopher

The gopher browser for Debian creates temporary files in a
non-secure manner. A fix is available. For more, go to:
<http://www.debian.org/security/2005/dsa-770>
**********

KDE patches libgadu/Kopete

According to an alert from KDE, "Kopete contains a copy of
libgadu that is used if no compatible version is installed in
the system. Several input validation errors have been reported
in libgadu that can lead to integer overflows and remote DoS or
arbitrary code execution." For more, go to:
<http://www.kde.org/info/security/advisory-20050721-1.txt>

Related Gentoo advisories:
<http://security.gentoo.org/glsa/glsa-200507-26.xml>
<http://security.gentoo.org/glsa/glsa-200507-23.xml>
**********

Ubuntu fixes PAM/NSS LDAP

According to an Ubuntu advisory, "Andrea Barisani discovered a
flaw in the SSL handling of pam-ldap and libnss-ldap. When a
client connected to a slave LDAP server using SSL, the slave
server did not use SSL as well when contacting the LDAP master
server. This caused passwords and other confident information to
be transmitted unencrypted between the slave and the master."
For more, go to:
<https://www.ubuntulinux.org/support/documentation/usn/usn-152-1>

Ubuntu patches vim

A flaw in the vim text editor could be exploited to execute
arbitrary shell commands with the privileges of the affected
user. For more, go to:
<https://www.ubuntulinux.org/support/documentation/usn/usn-154-1>

Ubuntu releases fix for epiphany

A recent update for the Mozilla Suite caused a regression in the
epiphany browser. A new fix is available. For more, go to:
<https://www.ubuntulinux.org/support/documentation/usn/usn-155-2>

Ubuntu issues patch for Tiff

A denial-of-service vulnerability has been found in the TIFF
library. Certain values in a TIFF image header are not properly
read, which could result in the application crashing. For more,
go to:
<https://www.ubuntulinux.org/support/documentation/usn/usn-156-1>
**********

Conectiva, Fedora release fixes for php

A new update for the popular PHP scripting language fixes two
flaws in previous releases. An attacker could exploit this to
run arbitrary PHP script on the affected machine. For more, go
to:

Conectiva:
<http://www.networkworld.com/go2/0801bug1c.html>

Fedora:
<http://www.securityfocus.com/archive/1/406800/30/0/threaded>
**********

Fedora patches lvm

LVM creates insecure temporary files, which could be exploited
by a local user to gain elevated privileges. For more, go to:
<http://www.securityfocus.com/archive/1/406385/30/90/threaded>
**********

FreeBSD fixes ipsec

A flaw in the FreeBSD implementation of ipsec uses a constant
encryption key rather than an administrator-specified one. For
more, go to:
<http://www.networkworld.com/go2/0801bug1b.html>
**********

SCO patches RPCBind for UnixWare

A denial-of-service vulnerability occurs when specific portmap
requests are received. SCO has released a fix for UnixWare. For
more, go to:
<ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.31>
**********

SuSE patches zlib

A flaw in the way zlib, a file compression/decompression
utility, handles compressed files could be exploited to crash
the application. For more, go to:
<http://www.networkworld.com/nlvirusbug4127>
**********

Mandriva, OpenPKG releases fetchmail fix

A buffer overflow in the popular fetchmail e-mail client could
be exploited in a denial-of-service attack or to potentially
execute arbitrary code. For more, go to:

Mandriva:
<http://www.mandriva.com/security/advisories?name=MDKSA-2005:126>

OpenPKG:
<http://www.networkworld.com/nlvirusbug4128>
**********

OpenPKG patches SpamAssassin

An attacker could send malformed messages through SpamAssassin,
causing the filtering applications to crash. For more, go to:
<http://www.networkworld.com/go2/0801bug1a.html>
**********

Mandriva releases fix for mozilla-thunderbird

A new update for the Mozilla-based Thunderbird browser could be
exploited to run script with elevated privileges on the affected
machine. For more, go to:
<http://www.mandriva.com/security/advisories?name=MDKSA-2005:127>
**********

Today's roundup of virus alerts:

W32/Mytob-HU -- Another Mytob variant that spreads through
e-mail and allows backdoor access via IRC. The infected e-mail
looks like some type of account warning. In addition to allowing
access, Mytob disables security programs and limits access to
related Web sites. (Sophos)

Troj/Ablank-AE -- A browser-hijacking Trojan that changes a
number of Web browser attributes. (Sophos)

W32/Agobot-ADH -- An Agobot backdoor variant that spreads
through network shares, dropping a randomly named file in the
Windows System directory. It disables security applications and
modifies the Windows HOSTS file to limit access to related Web
sites. (Sophos)

W32/Bobax-M -- A new Trojan that infects .exe files on the
target machine. It can disable anti-virus applications, restrict
access to security Web sites, and download/execute files from a
remote site. (Sophos)

Troj/Kelvir-AT -- This MSN Messenger worm spreads via the IM
"Ever see a glass career?? WHAHAHA its with your email!", which
is followed by a URL. (Sophos)

W32/Kelvir-AQ -- Another MSN Messenger worm. This one uses the
message "wtff why are you in this crazy site?" followed by a
URL. (Sophos)

Troj/Bancban-EB -- Another Trojan that targets Brazilian banking
sites. It drops "imgrt.scr" in the Windows System folder.
(Sophos)

W32/Hagbard-A -- A worm that spreads through peer-to-peer file
sharing sites. Among the many files it drops on the infected
machine is "msn_addons.exe" in the C: root directory. It
installs a Web server to allow remote access to the infected
machine. (Sophos)

Troj/Badmaca-A -- This worm displays a message in Portugese that
claims to be a security bulleting from Symantec. It attempts to
download and run malicious code on the infected machine.
(Sophos)

W32/Sdbot-ABQ -- An Sdbot variant that spreads through network
shares, attempting to exploit a number of known Windows
vulnerabilities. It can be used as a DDoS client, steal local
information and download/install additional code. (Sophos)
**********

From the interesting reading department:

Black Hat event highlights RFID and VoIP security threats

The Black Hat conference - an annual event where security
professionals get in touch with their inner hacker and vice
versa - has for nine years been a stage for detailing new
security exploits and sharing visions of the future. Network
World, 07/29/05.
<http://www.networkworld.com/nlvirusbug4129>

The top 5: Today's most-read stories

1. Furor over Cisco IOS router exploit erupts at Black Hat
<http://www.networkworld.com/nlvirusbug4130>

2. Cisco, ISS, Michael Lynn and Black Hat sign legal accord
<http://www.networkworld.com/nlvirusbug4131>

3. Researcher at center of Cisco router-exploit controversy
speaks out <http://www.networkworld.com/nlvirusbug4132>

4. 2005 Salary Survey
<http://www.networkworld.com/nlvirusbug4048>

5. Cisco nixes conference session on hacking IOS router code
<http://www.networkworld.com/nlvirusbug4049>
_______________________________________________________________
To contact: Jason Meserve

Jason Meserve is the Multimedia Editor at Network World and
writes about streaming media, search engines and IP Multicast.
Jason can be reached at <mailto:jmeserve@nww.com>. Check out his
Multimedia Exchange weblog at:
<http://www.networkworld.com/weblogs/multimedia/>

Check out our weekly Network World Radio program at:
<http://www.networkworld.com/radio/>
_______________________________________________________________
This newsletter is sponsored by Avocent
Network World Executive Guide: Reviewing Trends and Insights for
SMB Executives

Life is different for IT professionals at small and mid-sized
businesses, which don't have the luxury of hiring legions of
network experts. Read how network executives are keeping a firm
footing on an ever-shifting product landscape. Learn about
trends and insights surrounding VoIP and VPNs; plus get
commentaries from leading experts on storage strategies for
smaller businesses.
http://www.fattail.com/redir/redirect.asp?CID=109168
_______________________________________________________________
ARCHIVE LINKS

Virus and Bug Patch Alert archive:
http://www.networkworld.com/newsletters/bug/index.html

Breaking security news, updated daily
http://www.networkworld.com/topics/security.html
_______________________________________________________________
FEATURED READER RESOURCE
SIX TIPS FOR GETTING WHAT YOU DESERVE

Before you go in for your next annual review or promotion
interview, you would be wise to consider these tips for ensuring
you've got the right stuff to move ahead. Network executives
offer advice to help you gun for that next promotion and fatten
up your paycheck. Click here:
<http://www.networkworld.com/you/2005/072505-salary-side2.html>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005

No comments: