[Start] [Organized] [Chronological] [Date Prev] [Date Next]

[SECWS] Bul - 1142 - 01/14/2004


The SECURITY WATCH                                    APOGÉE-Communications
Edition of Wednesday, January 14 2004                   All rights reserved
___________________________________________________________________________

 SUMMARY OF THIS BULLETIN
 ------------------------

* ALERTS (7)
 - MICROSOFT      - Remote buffer overflow in ISA Server 2000
 - CISCO          - Improper handling of H.323 messages on Cisco IOS
 - REALNETWORKS   - Denial of service in Helix servers
 - MICROSOFT      - Buffer overflow in MDAC
 - OPENBSD        - Multiple vulnerabilities in 'isakmpd'
 - SYMANTEC       - Vulnerability in LiveUpdate component
 - MICROSOFT      - Vulnerability in Exchange Server 2003

* INFORMATION (2)
 - H.323          - Additional information on the H.323 vulnerability
 - LINUX DEBIAN   - Patch for 'CVS'

* REISSUES OF ALERTS (4)
 - CIAC           - Reissue of the Cisco 47843 alert
 - CIAC           - Reissue of the Microsoft MS04-001 alert
 - CIAC           - Reissue of the Microsoft MS04-002 alert
 - CIAC           - Reissue of the Microsoft MS04-003 alert
___________________________________________________________________________

ALERTS
___________________________________________________________________________

* MICROSOFT      - Remote buffer overflow in ISA Server 2000

A remotely exploitable buffer overflow to execute an arbitrary code affects
ISA Server 2000.

 - Date:        January 13 2004
 - Platform:    Microsoft Internet Security and Acceleration Server 2000
                Microsoft Small Business Server 2000 and 2003
 - Severity:    Critical
 - Origin:      Microsoft Firewall Service
                H.323 filter
 - Problem:     Remotely exploitable buffer overflow
 - Damage:      Arbitrary code execution using elevated privileges
 - CVE names:   CAN-2003-0819
 - Description: H.323 filter in ISA Server 2000 is vulnerable to a buffer
                overflow in the Microsoft Firewall Service. A malicious
                user may send a malformed H.323 message to execute an
                arbitrary code using privileges of the service.
 - References:  Microsoft [MS04-001] (816458)
                 http://www.microsoft.com/technet/security/Bulletin/MS04-001.asp
                NISCC
                 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
 - Solution:    Apply the available patch.
                 http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en
                As a workaround, disable H.323 filter or block port
                tcp/1720.
                ISA Servers running in cache mode are not vulnerable as the
                Firewall Service is disabled by default.
___________________________________________________________________________

* CISCO          - Improper handling of H.323 messages on Cisco IOS

Numerous devices, mainly based on Cisco IOS, are vulnerable to a denial of
service when processing H.323 messages.

 - Date:        January 13 2004
 - Platform:    Cisco IOS with support H.323 that may include devices
                configured for SIP (Session Initiation Protocol) or MGCP
                (Media Gateway Control Protocol)
                Cisco AS5xxx Series
                Cisco CallManager versions 3.0 to 3.3
                Cisco Conference Connection (CCC)
                Cisco Internet Service Node (ISN)
                Cisco BTS 10200 Softswitch
                Cisco 7905 IP Phone H.323 version 1.00
                Cisco ATA 18x Series with H.323/SIP ver. prior to 2.16.1
 - Severity:    High
 - Origin:      Cisco IOS version 11.3T and later
 - Problem:     Improper handling of H.323 messages
 - Damage:      Remote denial of service
 - CVE names:   CAN-2003-0819
 - Description: Several Cisco products are vulnerable when processing H.323
                messages, especially used in VoIP (Voice over IP) protocol
                or multimedia applications. A malicious user may repeatedly
                send a malformed H.323 message that will cause a denial of
                service of the vulnerable device.
 - References:  Cisco [47843]
                 http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml
                NISCC
                 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
 - Solution:    Install a fixed version of Cisco IOS or the patch related
                to the vulnerable device.
                 http://www.cisco.com/
 - Our advice:  This vulnerability has been found after a set of test
                developed by University of Oulu which also gave
                demonstrations for LDAPv3, SNMPv1, and SIP protocols.
___________________________________________________________________________

* REALNETWORKS   - Denial of service in Helix servers

A vulnerability in the Helix servers can lead to a remote denial of
service.

 - Date:        January 12 2004
 - Platform:    Real Networks Helix Universal Mobile Server and Gateway 10
                Real Networks Helix Universal Server and Gateway 9
 - Severity:    High
 - Origin:      Administration interface
 - Problem:     Improper handling of HTTP POST request
 - Damage:      Denial of service
 - CVE names:   No CVE name assigned at the present time
 - Description: A remote user, with administrator access on the server, can
                trigger a denial of service by the sending of malformed
                HTTP POST requests on the administrative port.
 - References:  Real Networks
                 http://www.service.real.com/help/faq/security/040112_dos/
 - Solution:    Apply the available patch.
                Helix Universal Server 9 for Windows
                 http://docs.real.com/docs/040112_dos/9.0_win32/admi3260.dll
                Helix Universal Server 9 for Solaris 2.8
                 http://docs.real.com/docs/040112_dos/9.0_sol28/adminfs.so.9.0
                Helix Universal Server 9 for Solaris 2.7
                 http://docs.real.com/docs/040112_dos/9.0_sol27/adminfs.so.9.0
                Helix Universal Server 9 for Linux
                 http://docs.real.com/docs/040112_dos/9.0_linux/adminfs.so.9.0
                Helix Universal Server 9 for AIX
                 http://docs.real.com/docs/040112_dos/9.0_aix/adminfs.so.9.0
                Helix Universal Server 9 for HP-UX
                 http://docs.real.com/docs/040112_dos/9.0_hp/adminfs.so.9.0
                Helix Universal Server 9 for Tru64
                 http://docs.real.com/docs/040112_dos/9.0_compaq/adminfs.so.9.0
                Helix Universal Server 9 for FreeBSD
                 http://docs.real.com/docs/040112_dos/9.0_freebsd/adminfs.so.9.0
                Helix Universal Server 10 for Solaris 2.8
                 http://docs.real.com/docs/040112_dos/sol28/adminfs.so
                Helix Universal Server 10 for Linux
                 http://docs.real.com/docs/040112_dos/linux/adminfs.so
___________________________________________________________________________

* MICROSOFT      - Buffer overflow in MDAC

A buffer overflow in a MDAC component allows to execute an arbitrary code
using privileges of the program running the vulnerable component.

 - Date:        January 13 2004
 - Platform:    Microsoft Data Access Components 2.5 (Windows 2000)
                Microsoft Data Access Components 2.6 (SQL Server 2000)
                Microsoft Data Access Components 2.7 (Windows XP)
                Microsoft Data Access Components 2.8 (Windows Server 2003
                and Windows Server 2003 64-Bit Edition)
 - Severity:    High
 - Origin:      Microsoft Data Access Components (MDAC)
 - Problem:     Buffer overflow
 - Damage:      Arbitrary code execution
 - CVE names:   CAN-2003-0903
 - Description: Microsoft Data Access Components (MDAC) is a set of
                components allowing to perform actions against a database.
                An action is designed to list SQL servers on the network by
                sending a broadcast request. A flaw in a MDAC component
                enables a malicious server to respond with a specially
                crafted packet that will cause a buffer overflow. It is
                possible to execute an arbitrary code using privileges of
                the program that performed the request.
 - References:  Microsoft [MS04-003] (832483)
                 http://www.microsoft.com/technet/security/Bulletin/MS04-003.asp
 - Solution:    Install the available patch available for MDAC versions
                2.5, 2.6, 2.7, and 2.8.
                 http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en
                or install the patch available for MDAC 2.8 for Windows
                2003 Server 64-Bit Edition.
___________________________________________________________________________

* OPENBSD        - Multiple vulnerabilities in 'isakmpd'

'isakmpd', a IKE key management daemon, is sensitive to multiple
vulnerabilities.

 - Date:        January 13 2004
 - Platform:    OpenBSD 3.4
 - Severity:    High
 - Origin:      'isakmpd'
 - Problem:     Multiple vulnerabilities
 - Damage:      Arbitrary security associations deletion
 - CVE names:   No CVE name assigned at the present time
 - Description: Multiple vulnerabilities in 'isakmpd' can allow a user to
                delete arbitrary security associations.
 - References:  OpenBSD 3.4 [009]
                 http://www.openbsd.org/errata.html#isakmpd
 - Solution:    Apply the available patch.
                 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/009_isakmpd.patch
___________________________________________________________________________

* SYMANTEC       - Vulnerability in LiveUpdate component

A vulnerability in the LiveUpdate component, which is providing in several
Symantec products, can allow a local user to gain elevated privileges.

 - Date:        January 14 2004
 - Platform:    Symantec Windows LiveUpdate 1.70 through 1.90
                Symantec Norton SystemWorks 2001 through 2004
                Symantec Norton AntiVirus and Norton AntiVirus Pro 2001
                through 2004
                Symantec Norton Internet Security and Norton Internet
                Security Pro 2001 through 2004
                Symantec AntiVirus Handhelds 3.0
 - Severity:    Medium
 - Origin:      'liveupdate' component
 - Problem:     Improper handling of help interface.
 - Damage:      Gain elevated privileges
 - CVE names:   CAN-2003-0994
 - Description: During an interactive LiveUpdate session , a local user can
                manipulate LiveUpdate help interface to gain 'cmd.exe'
                shell command with 'SYSTEM' privileges.
 - References:  Symantec [SYM04-001]
                 http://www.sarc.com/avcenter/security/Content/2004.01.12.html
                Secure Network Operations [SRT2004-01-09-1022]
                 http://www.secnetops.biz/research/advisories/SRT2004-01-09-1022.txt
 - Solution:    Apply the latest version of LiveUpdate.
                 ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe
___________________________________________________________________________

* MICROSOFT      - Vulnerability in Exchange Server 2003

A vulnerability in Exchange Server 2003 allows to reuse HTTP connections
and then access the mailbox of another user.

 - Date:        January 13 2004
 - Platform:    Microsoft Exchange Server 2003
 - Severity:    Medium
 - Origin:      NTLM authentication
 - Problem:     HTTP connections can be reused
 - Damage:      Information disclosure
 - CVE names:   CAN-2003-0904
 - Description: A vulnerability exists in the way HTTP connections are
                reused when NTML authentication is used in Outlook Web
                Access (OWA). Under specific conditions, a user accessing
                his mailbox via an Exchange Server 2003 and OWA may get
                connected to the mailbox of another user. Kerberos
                authentication, used by default, does not make the server
                vulnerable, but installation of Windows SharePoint Services
                (WSS) 2.0 on Windows Server 2003 may activate the NTML
                authentication and the vulnerability to appear.
 - References:  Microsoft [MS04-002] (832759)
                 http://www.microsoft.com/technet/security/Bulletin/MS04-002.asp
 - Solution:    Apply the available patch.
                 http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en
___________________________________________________________________________

INFORMATION
___________________________________________________________________________

* H.323          - Additional information on the H.323 vulnerability

Several vendors or organizations provide additional information about the
vulnerability affecting the handling of H.323 messages.
CERT [CA-2004-01]
 http://www.cert.org/advisories/CA-2004-01.html
CERT [VU#749342]
 http://www.kb.cert.org/vuls/id/749342
ISS X-Force [160]
 http://xforce.iss.net/xforce/alerts/id/160
Some Avaya, Nortel Networks, RadVision and TandBerg products are also
vulnerable.
 http://support.avaya.com/japple/css/japple?temp.documentID=158718&PAGE=avaya.css.CSSLvl1Detail
 http://www.nortelnetworks.com/cs
 http://www.radvision.com/NBU/Customer+Support.htm
University of Oulu
 http://www.ee.oulu.fi/research/ouspg/protos/index.html
CAN-2003-0819

http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
___________________________________________________________________________

* LINUX DEBIAN   - Patch for 'CVS'

Debian has announced the availability of patch for 'cvs' on Debian Linux
3.0 (woody) fixing thus a vulnerability which allows a remote user to
create files in a arbitrary manner.
 http://security.debian.org/pool/updates/main/c/cvs/
CAN-2003-0977
Debian 'cvs' [DSA-422-1] (bulletin 1119 dated 12/10/2003)

http://www.debian.org/security/2004/dsa-422
___________________________________________________________________________

REISSUES OF ALERTS
___________________________________________________________________________

* CIAC           - Reissue of the Cisco 47843 alert

CIAC has reissued, under the O-050 reference, the Cisco 47843 advisory
about a denial of service during the handling of H.323 messages.
CAN-2003-0819
CIAC 'H.323' [47843] (bulletin 1142 dated 01/14/2004)

http://ciac.llnl.gov/ciac/bulletins/o-050.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Microsoft MS04-001 alert

CIAC has reissued, under the O-051 reference, the Microsoft MS04-001 alert
discussing a buffer overflow affecting ISA Server 2000.
CAN-2003-0819
CIAC 'H.323' [MS04-001] (bulletin 1142 dated 01/14/2004)

http://ciac.llnl.gov/ciac/bulletins/o-051.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Microsoft MS04-002 alert

CIAC has reissued, under de O-052 reference, the Microsoft MS04-002 about a
vulnerability in Exchange Server 2000 allowing to access to the mailbox of
an other user.
CAN-2003-0904
CIAC 'exchange', 'ntlm' [MS04-002] (bulletin 1142 dated 01/14/2004)

http://ciac.llnl.gov/ciac/bulletins/o-052.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Microsoft MS04-003 alert

CIAC has reissued, under the O-053 reference, the Microsoft MS04-003 alert
about a buffer overflow in MDAC allowing execution of arbitrary code.
CAN-2003-0903
CIAC 'mdac' [MS04-003] (bulletin 1142 dated 01/14/2003)

http://ciac.llnl.gov/ciac/bulletins/o-053.shtml
___________________________________________________________________________

Yours sincerely,

The Security Watch Team

--
Security Watch Service
mailto:veille-sec@apogee-com.fr
APOGEE Communications
15, Avenue du Cap Horn
ZA de Courtaboeuf 
91940 LES ULIS
Tel : + 33 1 69 85 56 47
Fax : + 33 1 69 85 56 48

Technical support : + 33 1 73 23 17 00

Nota: Trademarks and products appearing in this bulletin are property
      of their respective depositaries.