SecureNET Summary: Alert Notification 1. Vulnerability Information: A. Microsoft: Name: Deeply-nested Outlook Web Access (OWA) Request Can Consume Server CPU Availability Date: 26 Sep 2001 Priority: Cat IV Affected: Microsoft Exchange Server 2000 Gold, SP1 Microsoft Exchange Server 2000 Enterprise Edition Gold, SP1 Summary: This vulnerability allows "denial of service" to occur when OWA fails to validate the existence of folders prior to processing requests. An authenticated user could repeatedly request access to non-existent folders and consume all CPU resources. Note: This vulnerability only applies if you have the OWA function enabled. Reference(s): Microsoft http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-049.asp B. UNIX/LINUX: Name: Insecure setserial initscript Date: 19 Sep 2001 Priority: Cat II Affected: Red Hat Linux 7.1 Summary: This vulnerability allows "disclosure of information" to occur because "initscript" creates predictable temporary filenames without restricted permissions. A malicious user could use the information gained for other exploits. The "initscript" file must be manually installed and enabled and the kernel recompiled for this vulnerability to exist. Reference(s): LinuxSecurity http://www.linuxsecurity.com/advisories/redhat_advisory-1616.html Red Hat http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=52862 C. OTHER: Name: H-Sphere Arbitrary File Disclosure Vulnerability Date: 25 Sep 2001 Priority: Cat II Affected: Positive Software H-Sphere 1.5, 2.0, 2.05, 2.06 Summary: This vulnerability allows "disclosure of information" to occur because the web server is vulnerable to a "dot dot" attack. A malicious user could traverse directories and gain access to sensitive system information. Reference(s): SecurityFocus http://www.securityfocus.com/bid/3359 Name: Cisco Secure PIX Firewall SMTP Filtering Vulnerability Date: 26 Sep 2001 Priority: Cat II Affected: Cisco Secure PIX Firewall 4.4(7.202), 5.1(4.206), 5.2(3.210), 5.2(4), 5.2(5), 5.3(1.200), 6.0(1) Summary: This vulnerability allows "limited access" to occur because Simple Mail Transfer Protocol (SMTP) commands are not adequately filtered by the firewall. A malicious user could bypass the firewall and access the mail server to obtain information about mail accounts and execute arbitrary code. Reference(s): Cisco http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-regression-pub.sh tml 2. Virus/Trojan Information: Name: UPDATE - Nimda Please note that the Nimda worm repeats the process of harvesting addresses and e-mailing itself every 10 days. Per the following references, administrators can expect to see increased Nimda activity early on 28 Sep 2001. Reference(s): CERT http://www.cert.org/advisories/CA-2001-26.html InfoWorld http://www.infoworld.com/articles/hn/xml/01/09/27/010927hnnimbda.xml Name: Vote.B Date: 26 Sep 2001 Priority Cat VII Alias: Anti_TeRRoRisM.exe, VBS_VOTE.B, W32.Vote.B@mm, TROJ_VOTE.B, W32/Vote-B Summary: Vote.B is a variant of the Vote.A e-mail worm. Like its predecessor, this worm, once executed, tries to e-mail itself to the addresses listed in your Microsoft Outlook contact list and is capable of formatting your C: drive. Differences include the subject, "Fwd: This War Must Be Done!" and the fact that Vote.B writes 2 different VBS scripts. The two different scripts are concerned with executing the TimeUpdate.exe file and opening a web site to deliver another message that contains profanity. Reference(s): McAfee http://vil.nai.com/vil/virusSummary.asp?virus_k=99215 Sophos http://www.sophos.com/virusinfo/analyses/w32voteb.html Symantec http://www.symantec.com/avcenter/venc/data/w32.vote.b@private Trend Micro http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.B James R. Wilcox, CISSP Regional Sales Manager SecureInfo Corporation 503 244-8827 voice 503 244-3007 fax www.SecureInfo.com james.wilcox@private
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:26:37 PDT