SecureNET Summary

From: James Wilcox (jim_wilcox@private)
Date: Thu Sep 27 2001 - 14:31:55 PDT

  • Next message: Rocky Gregory: "Net Guard from Ron Wyden"

    SecureNET Summary:
    Alert Notification
    
    1.  Vulnerability Information:
    
    A.  Microsoft:
    
    Name:	Deeply-nested Outlook Web Access (OWA) Request Can Consume Server
    CPU Availability
    Date:	26 Sep 2001
    Priority:	Cat IV
    Affected:	Microsoft Exchange Server 2000	Gold, SP1
    	Microsoft Exchange Server 2000 Enterprise Edition	Gold, SP1
    Summary:  This vulnerability allows "denial of service" to occur when OWA
    fails to validate the existence of folders prior to processing requests.  An
    authenticated user could repeatedly request access to non-existent folders
    and consume all CPU resources.
    Note:  This vulnerability only applies if you have the OWA function enabled.
    Reference(s):
    Microsoft
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS01-049.asp
    
    
    B.  UNIX/LINUX:
    
    Name:	Insecure setserial initscript
    Date:	19 Sep 2001
    Priority:	Cat II
    Affected:	Red Hat Linux	7.1
    Summary:  This vulnerability allows "disclosure of information" to occur
    because "initscript" creates predictable temporary filenames without
    restricted permissions.  A malicious user could use the information gained
    for other exploits.  The "initscript" file must be manually installed and
    enabled and the kernel recompiled for this vulnerability to exist.
    Reference(s):
    LinuxSecurity
    http://www.linuxsecurity.com/advisories/redhat_advisory-1616.html
    Red Hat	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52862
    
    
    C.  OTHER:
    
    Name:	H-Sphere Arbitrary File Disclosure Vulnerability
    Date:	25 Sep 2001
    Priority:	Cat II
    Affected:	Positive Software H-Sphere	1.5, 2.0, 2.05, 2.06
    Summary:  This vulnerability allows "disclosure of information" to occur
    because the web server is vulnerable to a "dot dot" attack.  A malicious
    user could traverse directories and gain access to sensitive system
    information.
    Reference(s):
    SecurityFocus	http://www.securityfocus.com/bid/3359
    
    
    Name:	Cisco Secure PIX Firewall SMTP Filtering Vulnerability
    Date:	26 Sep 2001
    Priority:	Cat II
    Affected:	Cisco Secure PIX Firewall	4.4(7.202), 5.1(4.206),
    5.2(3.210), 5.2(4), 5.2(5), 5.3(1.200), 6.0(1)
    Summary:  This vulnerability allows "limited access" to occur because Simple
    Mail Transfer Protocol (SMTP) commands are not adequately filtered by the
    firewall.  A malicious user could bypass the firewall and access the mail
    server to obtain information about mail accounts and execute arbitrary code.
    Reference(s):
    Cisco
    http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-regression-pub.sh
    tml
    
    
    2. Virus/Trojan Information:
    
    Name:  UPDATE - Nimda
    
    Please note that the Nimda worm repeats the process of harvesting addresses
    and e-mailing itself every 10 days.  Per the following references,
    administrators can expect to see increased Nimda activity early on 28 Sep
    2001.
    Reference(s):
    CERT		http://www.cert.org/advisories/CA-2001-26.html
    InfoWorld
    http://www.infoworld.com/articles/hn/xml/01/09/27/010927hnnimbda.xml
    
    
    Name:  Vote.B
    Date:  26 Sep 2001
    Priority	Cat VII
    Alias:  Anti_TeRRoRisM.exe, VBS_VOTE.B, W32.Vote.B@mm, TROJ_VOTE.B,
    W32/Vote-B
    Summary:  Vote.B is a variant of the Vote.A e-mail worm.  Like its
    predecessor, this worm, once executed, tries to e-mail itself to the
    addresses listed in your Microsoft Outlook contact list and is capable of
    formatting your C: drive.  Differences include the subject, "Fwd: This War
    Must Be Done!" and the fact that Vote.B writes 2 different VBS scripts.  The
    two different scripts are concerned with executing the TimeUpdate.exe file
    and opening a web site to deliver another message that contains profanity.
    Reference(s):
    McAfee		http://vil.nai.com/vil/virusSummary.asp?virus_k=99215
    Sophos		http://www.sophos.com/virusinfo/analyses/w32voteb.html
    Symantec
    http://www.symantec.com/avcenter/venc/data/w32.vote.b@private
    Trend Micro
    http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.B
    
    James R. Wilcox, CISSP
    Regional Sales Manager
    SecureInfo Corporation
    503 244-8827 voice
    503 244-3007 fax
    www.SecureInfo.com
    james.wilcox@private
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:26:37 PDT