[gull-annonces] Résumé SecurityFocus Newsletter #305

Tue Jul 5 11:30:02 CEST 2005

Heimdal telnetd Remote Buffer Overflow Vulnerability
BugTraq ID: 13989
Remote: Yes
Date Published: 2005-06-20
Relevant URL: http://www.securityfocus.com/bid/13989
Summary:
Heimdal telnetd is susceptible to a remote buffer overflow vulnerability. 
This issue is due to a failure of the application to properly bounds check 
user-supplied data prior to copying it to an insufficiently sized memory 
buffer.

This vulnerability may be exploited by remote attackers to influence the 
proper flow of execution of the application, resulting in attacker-supplied 
machine code being executed in the context of the affected network service.

[ impl. de Kerberos 5 ]

Cisco VPN Concentrator Groupname Enumeration Weakness
BugTraq ID: 13992
Remote: Yes
Date Published: 2005-06-20
Relevant URL: http://www.securityfocus.com/bid/13992
Summary:
Cisco VPN Concentrator is affected by a remote groupname enumeration 
weakness.  This issue is due to a design error that could assist a remote 
attacker in enumerating groupnames.

Reportedly, once the attacker has verified a groupname they can obtain a 
password hash from an affected device and carry out bruteforce attacks 
against the password hash.

A valid groupname and password pair can allow the attacker to complete IKE 
Phase-1 authentication and carry out man-in-the-middle attacks against other 
users.  This may ultimately allow the attacker to gain unauthorized access 
to the network.

All Cisco VPN Concentrator 3000 series products running groupname 
authentication are considered vulnerable to this issue.

[ firmware ]

Todd Miller sudo Local Race Condition Vulnerability
BugTraq ID: 13993
Remote: No
Date Published: 2005-06-20
Relevant URL: http://www.securityfocus.com/bid/13993
Summary:
sudo is prone to a local race condition vulnerability. The issue only 
manifests under certain conditions, specifically, when the sudoers 
configuration file contains a pseudo-command 'ALL' that directly follows a 
users sudoers entry.

When the aforementioned configuration exists, this issue may be leveraged by 
local attackers to execute arbitrary executables with escalated privileges. 
This may be accomplished by creating symbolic links to target files.

Mozilla/Firefox Browsers Dialog Box Origin Spoofing Vulnerability
BugTraq ID: 14008
Remote: Yes
Date Published: 2005-06-21
Relevant URL: http://www.securityfocus.com/bid/14008
Summary:
Mozilla/Firefox browsers are prone to a dialog box origin spoofing 
vulnerability.

An attacker may exploit this vulnerability to spoof an interface of a 
trusted web site. This issue may allow a remote attacker to carry out 
phishing style attacks. 

[ vague, verifiez l'empreinte des certificats, c'est tout ce qui compte ]

Enterasys Networks Vertical Horizon Default Backdoor Account 
Vulnerability
BugTraq ID: 14014
Remote: Yes
Date Published: 2005-06-21
Relevant URL: http://www.securityfocus.com/bid/14014
Summary:
Enterasys Networks Vertical Horizon switch firmware has a built-in 
administrative account that cannot be disabled.

This vulnerability reportedly allows remote attackers to gain unauthorized 
administrative access to a target switch.

[ firmware ]

Yukihiro Matsumoto Ruby XMLRPC Server Unspecified Command Execution 
Vulnerability
BugTraq ID: 14016
Remote: Yes
Date Published: 2005-06-21
Relevant URL: http://www.securityfocus.com/bid/14016
Summary:
Ruby is affected by an unspecified command execution vulnerability.  
Reportedly, this issue affects the XMLRPC server.

It may be possible for an attacker to gain unauthorized access to an 
affected computer by exploiting this issue.

Ruby 1.8.2 is known to be vulnerable to this vulnerability, however, other 
versions may be affected as well.

[ ruby est un langage de programmation similaire a Perl ]

Tor Arbitrary Memory Information Disclosure Vulnerability
BugTraq ID: 14024
Remote: Yes
Date Published: 2005-06-21
Relevant URL: http://www.securityfocus.com/bid/14024
Summary:
Tor is prone to an arbitrary memory information disclosure vulnerability.

A remote attacker could exploit this vulnerability to gain sensitive 
information,  possibly private keys.

This issue is reported to affect Tor versions prior to 0.1.0.10.

[ anonymizer http://tor.eff.org/ ]

Asterisk Manager Interface Command Processing Remote Buffer Overflow 
Vulnerability
BugTraq ID: 14031
Remote: Yes
Date Published: 2005-06-22
Relevant URL: http://www.securityfocus.com/bid/14031
Summary:
Asterisk manager interface is prone to a remote buffer overflow 
vulnerability. The issue manifests due to a lack of sufficient boundary 
checks performed by command line interface processing routines. Reports 
indicate that the issue may only be exploited if the manager interface is 
accessible and an attacker is able to write commands to the interface.

Under certain circumstances a remote attacker may exploit this issue to 
execute arbitrary code in the context of the affected software.

Linux Kernel Unauthorized SCSI Command Vulnerability
BugTraq ID: 14040
Remote: No
Date Published: 2005-06-23
Relevant URL: http://www.securityfocus.com/bid/14040
Summary:
Linux kernel is reported susceptible to an unauthorized SCSI command 
vulnerability. 
Commands sent to a SCSI device may render the device's state inconsistent or 
change the drive parameters so that other users find the drive to be 
unusable.

It is possible that this issue is related to BID 11784 (SuSE Linux Kernel 
Unauthorized SCSI Command Vulnerability).  This is not confirmed at the 
moment, however, this BID will be updated or the two BIDs will be combined 
into one when further analysis is completed.

[ pour envoyer des commandes SCSI il faut avoir acces au peripherique
  concerne (donc usuellement groupe disk), ou alors a l'interface
  generique /dev/sgX, que l'on n'ouvre que pour les scanners p.ex. si
  on veut eviter xsane suid root
]

Sendmail Milter Remote Denial Of Service Weakness
BugTraq ID: 14047
Remote: Yes
Date Published: 2005-06-23
Relevant URL: http://www.securityfocus.com/bid/14047
Summary:
Sendmail is susceptible to a remote denial of service weakness in its milter 
interface. This issue is due to overly long default timeouts configured for 
milters.

This issue is demonstrated with ClamAV versions prior to 0.86. Any other 
milter that utilizes similar operating methods as the older ClamAV milter 
will also expose this vulnerability in Sendmail.

Depending on the configuration of the milter interface, attackers may either 
exploit this issue to bypass milters, or to deny further email delivery on 
affected sites.

Linux Kernel 64 Bit AR-RSC Register Access Validation Vulnerability
BugTraq ID: 14051
Remote: No
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14051
Summary:
The Linux Kernel for 64 Bit architectures is prone to an access validation 
vulnerability. The issue manifests due to a failure to restrict access to 
the 'ar.rsc' register (register stack engine control register) by the 
'restore_sigcontext' function.

Immediate consequences of exploitation would likely be a denial of service, 
other attacks are also possible.

Linux Kernel Subthread Exec Local Denial Of Service Vulnerability
BugTraq ID: 14054
Remote: No
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14054
Summary:
The Linux kernel is prone to a local denial of service vulnerability. The 
issue manifests when a call to exec is made for a subthread that has a timer 
pending. 
A local attacker may exploit this issue to crash the kernel effectively 
denying service for legitimate users.

Clam Anti-Virus ClamAV Unspecified Quantum Decompressor Denial Of 
Service Vulnerability
BugTraq ID: 14058
Remote: Yes
Date Published: 2005-06-24
Relevant URL: http://www.securityfocus.com/bid/14058
Summary:
ClamAV is prone to a denial of service vulnerability. The issue manifests in 
the Quantum decompressor, the exact cause of this issue is not known.

It is conjectured that a remote attacker may exploit this condition using a 
malicious file to crash a target ClamAV server.