Just to keep y'all updated, and to summarize what's known so far: 1) The ISS advisory sucks (no details, didn't mention that it was NT-only or that Solaris wasn't vulnerable, they supposedly worked with Netscape on this, but don't have more specific info about which platforms/versions are vulnerable, and it does not mention that the fix is included in the SSL handshake fix (leaving folks to wonder "huh?" when told to apply a fix that doesn't seem to have any relation to the problem)) 2) Netscape surreptitiously fixed a serious buffer overflow bug and included it in the SSL handshake patch and didn't notify anyone of the bug's existence (to this day there isn't any verbage at http://www.iplanet.com/downloads/patches/detail_12_86.ht ml that mentions this GET overflow). Bad Netscape...no cookie! 3) The information in the database at www.securityfocus.com about this vulnerability is either wrong or they know something we don't because it lists specific operating systems and Netscape product versions not mentioned on BugTraq or in the ISS advisory. 4) The advisory mentions NES 3.6sp2 as being vulnerable. I have since used the ISS scanner and the NetscapeGetOverflowFlexCheck to verify that NES 3.5.1 on NT is also vulnerable. Solaris is not vulnerable (at least to this specific variant ;^>). 5) Myself and at least another individual who contacted me are interested in finding out what the FlexCheck is doing so that we can post details on what the problem is and perhaps why UNIX versions don't appear to be vulnerable. If I find anything else out, I'll "open- source" the details so that those without ISS scanner can confirm whether their systems are vulnerable or not. 5) I'm not the only one annoyed by the terse, disconnected advisories from ISS X-Force of late. -Jason Quoting X-Force <xforceat_private>: > Comments within. > > Erik Fichtner wrote: > > > Is this vulnerability in other versions of Enterprise server? > > We tested the vulnerability against the current releases of Enterprise > and Fasttrack. Earlier versions may be vulnerable, but they were not > tested against. > > > Does it exist on all platforms? > > No, our advisory effects only NT, Solaris was tested against and found > not vulnerable. AIX and other platforms were not tested against and > these platforms potentially could be vulnerable. > > > Is this an issue only with the SSL server (SSL Handshake? huh? what does > > THAT have to do with a GET request?) or does this affect the entire > > server? > > Netscape decided to combine the GET overflow patch in with an SSL > problem. This vulnerability affects the entire server. Netscapes > handles their patch bundling, we have no involvment with that. > > > Are patches available for previous versions of Enterprise server? > > Not that we know of, If previous versions are found to be vulnerable > Netscape should be contacted and will issue a patch at that time. > > > ---- > X-Force > Internet Security Systems, Inc. > (678) 443-6000 / http://xforce.iss.net/ > Adaptive Network Security for the Enterprise > AT&T Wireless Services IT Security UNIX Security Operations Specialist
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:10 PDT