From: UNIRAS (UK Govt CERT) [uniras@niscc.gov.uk] Sent: 02 October 2003 10:33 To: uniras@niscc.gov.uk Cc: interim@lists.niscc.gov.uk Subject: UNIRAS Brief - 551/03 - CIAC - ProFTPD ASCII File Remote Compromise Vulnerability, OpenSSH PAM challenge authentication failure, Portable OpenSSH server PAM Vulnerability + Sendmail 8.12.9 Prescan Bug *** PGP SIGNATURE VERIFICATION *** *** Status: Good Signature *** Signer: UNIRAS (0xB32B9DFD) *** Signed: 02/10/2003 10:32:51 *** Verified: 02/10/2003 10:37:18 *** BEGIN PGP VERIFIED MESSAGE *** ---------------------------------------------------------------------------------- UNIRAS (UK Govt CERT) Briefing Notice - 551/03 dated 02.10.03 Time: 10:34 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) ---------------------------------------------------------------------------------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk ---------------------------------------------------------------------------------- Title ===== Four CIAC Security Advisories: 1: ProFTPD ASCII File Remote Compromise Vulnerability 2: OpenSSH PAM challenge authentication failure 3: Portable OpenSSH server PAM Vulnerability 4: Sendmail 8.12.9 Prescan Bug Detail ====== 1: ProFTPD ASCII File Remote Compromise Vulnerability *** BEGIN PGP VERIFIED MESSAGE *** __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN ProFTPD ASCII File Remote Compromise Vulnerability September 30, 2003 13:00 GMT Number N-156 ______________________________________________________________________________ PROBLEM: A flaw in the ProFTPD Unix FTP server ASCII file upload component can cause a buffer overflow and give a remote intruder root access. PLATFORM: ProFTPD 1.2.7, 1.2.8, 8rc1, 8rc2, 9rc1, 9rc2 DAMAGE: A buffer overflow and give a remote intruder root access. SOLUTION: Apply patch for the ProFTPD vulnerability. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote intruder can get root access if ASSESSMENT: anonymous uploading is allowed. Authenticated users can get root if anonymous ulploading is not allowed. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-156.shtml ORIGINAL BULLETIN: http://xforce.iss.net/xforce/alerts/id/154 ______________________________________________________________________________ *** END PGP VERIFIED MESSAGE *** 2: OpenSSH PAM challenge authentication failure *** BEGIN PGP VERIFIED MESSAGE *** __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN CERT: OpenSSH PAM challenge authentication failure [Vulnerability Note VU#602204] September 30, 2003 18:00 GMT Number N-157 ______________________________________________________________________________ PROBLEM: A vulnerability in the challenge authentication code of the Portable OpenSSH server when using the SSHv1 protocol and Pluggable Authentication Modules (PAM), could permit a remote attacker to log in to the system as any user, including potentially root, without using a password. PLATFORM: OpenSSH 3.7.1p1 (portable) DAMAGE: A remote attacker could potentially log in to the system as any user, including root, using a null password. SOLUTION: Change the config file or apply upgrades. (Note--changing the config file fixes the CIAC N-158 CERT Portable OpenSSH server PAM conversion stack corruption.) ______________________________________________________________________________ VULNERABILITY The risk is HIGH. It is possible for an attacker to log in to ASSESSMENT: the system as any user, including potentially root, without using a password. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-157.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/602204 ______________________________________________________________________________ *** END PGP VERIFIED MESSAGE *** 3: Portable OpenSSH server PAM Vulnerability *** BEGIN PGP VERIFIED MESSAGE *** __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN CERT: Portable OpenSSH server PAM Vulnerability [Vulnerability Note VU#209807] September 30, 2003 18:00 GMT Number N-158 ______________________________________________________________________________ PROBLEM: A vulnerability in the Portable OpenSSH server that may corrupt the PAM conversion stack. PLATFORM: OpenSSH 3.7.1p1 (portable) DAMAGE: The complete impact of this vulnerability is not yet known, but may lead to privilege escalation, or a denial of service. SOLUTION: Change the config file or apply upgrades. (Note--changing the config file for CIAC N-157 CERT OpenSSH PAM challenge authentication failure, fixes this.) ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The complete impact of this vulnerability ASSESSMENT: is not yet known, but may lead to privilege escalation, or a denial of service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-158.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/209807 ______________________________________________________________________________ *** END PGP VERIFIED MESSAGE *** 4: Sendmail 8.12.9 Prescan Bug *** BEGIN PGP VERIFIED MESSAGE *** CIAC Bulletin N-149 has been updated to now include an additional link to the SGI Security announcing they have released updated packages for IRIX 6.5.22 or patches 5325 and 5326. __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Sendmail 8.12.9 Prescan Bug September 17, 2003 17:00 GMT Number N-149 [REVISED 22 Sept 2003] [REVISED 23 Sept 2003] [REVISED 26 Sept 2003] [REVISED 30 Sept 2003] ______________________________________________________________________________ PROBLEM: A buffer overflow has been discovered in Sendmail version 8.12.9 that could be remotely exploited to give an intruder remote access to a system. PLATFORM: Sendmail 8.12.9 and earlier Hewlett Packard HP-UX B.11.00, B.11.04 (VVOX), B.11.11, B.11.22 Mac OS X versions prior to 10.2.8 IRIX 6.5.22 or patches 5325 and 5326 DAMAGE: An intruder could get remote access to a system. SOLUTION: Install Sendmail 8.12.10 available from www.sendmail.org. Download and install appropriate files from Hewlett Packard and Apple. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. We have not seen an exploit for this ASSESSMENT: vulnerability. This vulnerability could be exploited to give an intruder root access to a system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-149.shtml ORIGINAL BULLETIN: http://www.sendmail.org/8.12.10.html ADDITIONAL LINKS: Visit HEWLETT PACKARD Subscription Service for: HPSBUX0309-281 (SSRT3631) CERT Advisory CA-2003-25 http://www.cert.org/advisories/CA-2003-25.html Apple Security Advisory - Mac OS X 10.2.8 (APPLE-SA-2003-09-22) http://net-security.org/advisory.php?id=2546 http://docs.info.apple.com/article.html?artnum=61798 RedHat Advisory RHSA2003:283-09 https://rhn.redhat.com/errata/RHSA-2003-283.html SGI Security Advisory 20030903-01-P http://www.sgi.com/support/security/ ______________________________________________________________________________ *** END PGP VERIFIED MESSAGE *** ---------------------------------------------------------------------------------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: uniras@niscc.gov.uk Office Hours: Mon - Fri: 08:30 - 17:00 Hrs Tel: +44 (0) 20 7821 1330 Ext 4511 Fax: +44 (0) 20 7821 1686 Outside of Office Hours: On Call Duty Officer: Tel: +44 (0) 20 7821 1330 and follow the prompts ---------------------------------------------------------------------------------- UNIRAS wishes to acknowledge the contributions of CIAC for the information contained in this Briefing. ---------------------------------------------------------------------------------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. ---------------------------------------------------------------------------------- *** END PGP VERIFIED MESSAGE ***