[Start]
[Organized]
[Chronological]
[Date Prev]
[Date Next]
[SECWS] Bul - 1142 - 01/14/2004
The SECURITY WATCH APOGÉE-Communications
Edition of Wednesday, January 14 2004 All rights reserved
___________________________________________________________________________
SUMMARY OF THIS BULLETIN
------------------------
* ALERTS (7)
- MICROSOFT - Remote buffer overflow in ISA Server 2000
- CISCO - Improper handling of H.323 messages on Cisco IOS
- REALNETWORKS - Denial of service in Helix servers
- MICROSOFT - Buffer overflow in MDAC
- OPENBSD - Multiple vulnerabilities in 'isakmpd'
- SYMANTEC - Vulnerability in LiveUpdate component
- MICROSOFT - Vulnerability in Exchange Server 2003
* INFORMATION (2)
- H.323 - Additional information on the H.323 vulnerability
- LINUX DEBIAN - Patch for 'CVS'
* REISSUES OF ALERTS (4)
- CIAC - Reissue of the Cisco 47843 alert
- CIAC - Reissue of the Microsoft MS04-001 alert
- CIAC - Reissue of the Microsoft MS04-002 alert
- CIAC - Reissue of the Microsoft MS04-003 alert
___________________________________________________________________________
ALERTS
___________________________________________________________________________
* MICROSOFT - Remote buffer overflow in ISA Server 2000
A remotely exploitable buffer overflow to execute an arbitrary code affects
ISA Server 2000.
- Date: January 13 2004
- Platform: Microsoft Internet Security and Acceleration Server 2000
Microsoft Small Business Server 2000 and 2003
- Severity: Critical
- Origin: Microsoft Firewall Service
H.323 filter
- Problem: Remotely exploitable buffer overflow
- Damage: Arbitrary code execution using elevated privileges
- CVE names: CAN-2003-0819
- Description: H.323 filter in ISA Server 2000 is vulnerable to a buffer
overflow in the Microsoft Firewall Service. A malicious
user may send a malformed H.323 message to execute an
arbitrary code using privileges of the service.
- References: Microsoft [MS04-001] (816458)
http://www.microsoft.com/technet/security/Bulletin/MS04-001.asp
NISCC
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
- Solution: Apply the available patch.
http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en
As a workaround, disable H.323 filter or block port
tcp/1720.
ISA Servers running in cache mode are not vulnerable as the
Firewall Service is disabled by default.
___________________________________________________________________________
* CISCO - Improper handling of H.323 messages on Cisco IOS
Numerous devices, mainly based on Cisco IOS, are vulnerable to a denial of
service when processing H.323 messages.
- Date: January 13 2004
- Platform: Cisco IOS with support H.323 that may include devices
configured for SIP (Session Initiation Protocol) or MGCP
(Media Gateway Control Protocol)
Cisco AS5xxx Series
Cisco CallManager versions 3.0 to 3.3
Cisco Conference Connection (CCC)
Cisco Internet Service Node (ISN)
Cisco BTS 10200 Softswitch
Cisco 7905 IP Phone H.323 version 1.00
Cisco ATA 18x Series with H.323/SIP ver. prior to 2.16.1
- Severity: High
- Origin: Cisco IOS version 11.3T and later
- Problem: Improper handling of H.323 messages
- Damage: Remote denial of service
- CVE names: CAN-2003-0819
- Description: Several Cisco products are vulnerable when processing H.323
messages, especially used in VoIP (Voice over IP) protocol
or multimedia applications. A malicious user may repeatedly
send a malformed H.323 message that will cause a denial of
service of the vulnerable device.
- References: Cisco [47843]
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml
NISCC
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
- Solution: Install a fixed version of Cisco IOS or the patch related
to the vulnerable device.
http://www.cisco.com/
- Our advice: This vulnerability has been found after a set of test
developed by University of Oulu which also gave
demonstrations for LDAPv3, SNMPv1, and SIP protocols.
___________________________________________________________________________
* REALNETWORKS - Denial of service in Helix servers
A vulnerability in the Helix servers can lead to a remote denial of
service.
- Date: January 12 2004
- Platform: Real Networks Helix Universal Mobile Server and Gateway 10
Real Networks Helix Universal Server and Gateway 9
- Severity: High
- Origin: Administration interface
- Problem: Improper handling of HTTP POST request
- Damage: Denial of service
- CVE names: No CVE name assigned at the present time
- Description: A remote user, with administrator access on the server, can
trigger a denial of service by the sending of malformed
HTTP POST requests on the administrative port.
- References: Real Networks
http://www.service.real.com/help/faq/security/040112_dos/
- Solution: Apply the available patch.
Helix Universal Server 9 for Windows
http://docs.real.com/docs/040112_dos/9.0_win32/admi3260.dll
Helix Universal Server 9 for Solaris 2.8
http://docs.real.com/docs/040112_dos/9.0_sol28/adminfs.so.9.0
Helix Universal Server 9 for Solaris 2.7
http://docs.real.com/docs/040112_dos/9.0_sol27/adminfs.so.9.0
Helix Universal Server 9 for Linux
http://docs.real.com/docs/040112_dos/9.0_linux/adminfs.so.9.0
Helix Universal Server 9 for AIX
http://docs.real.com/docs/040112_dos/9.0_aix/adminfs.so.9.0
Helix Universal Server 9 for HP-UX
http://docs.real.com/docs/040112_dos/9.0_hp/adminfs.so.9.0
Helix Universal Server 9 for Tru64
http://docs.real.com/docs/040112_dos/9.0_compaq/adminfs.so.9.0
Helix Universal Server 9 for FreeBSD
http://docs.real.com/docs/040112_dos/9.0_freebsd/adminfs.so.9.0
Helix Universal Server 10 for Solaris 2.8
http://docs.real.com/docs/040112_dos/sol28/adminfs.so
Helix Universal Server 10 for Linux
http://docs.real.com/docs/040112_dos/linux/adminfs.so
___________________________________________________________________________
* MICROSOFT - Buffer overflow in MDAC
A buffer overflow in a MDAC component allows to execute an arbitrary code
using privileges of the program running the vulnerable component.
- Date: January 13 2004
- Platform: Microsoft Data Access Components 2.5 (Windows 2000)
Microsoft Data Access Components 2.6 (SQL Server 2000)
Microsoft Data Access Components 2.7 (Windows XP)
Microsoft Data Access Components 2.8 (Windows Server 2003
and Windows Server 2003 64-Bit Edition)
- Severity: High
- Origin: Microsoft Data Access Components (MDAC)
- Problem: Buffer overflow
- Damage: Arbitrary code execution
- CVE names: CAN-2003-0903
- Description: Microsoft Data Access Components (MDAC) is a set of
components allowing to perform actions against a database.
An action is designed to list SQL servers on the network by
sending a broadcast request. A flaw in a MDAC component
enables a malicious server to respond with a specially
crafted packet that will cause a buffer overflow. It is
possible to execute an arbitrary code using privileges of
the program that performed the request.
- References: Microsoft [MS04-003] (832483)
http://www.microsoft.com/technet/security/Bulletin/MS04-003.asp
- Solution: Install the available patch available for MDAC versions
2.5, 2.6, 2.7, and 2.8.
http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en
or install the patch available for MDAC 2.8 for Windows
2003 Server 64-Bit Edition.
___________________________________________________________________________
* OPENBSD - Multiple vulnerabilities in 'isakmpd'
'isakmpd', a IKE key management daemon, is sensitive to multiple
vulnerabilities.
- Date: January 13 2004
- Platform: OpenBSD 3.4
- Severity: High
- Origin: 'isakmpd'
- Problem: Multiple vulnerabilities
- Damage: Arbitrary security associations deletion
- CVE names: No CVE name assigned at the present time
- Description: Multiple vulnerabilities in 'isakmpd' can allow a user to
delete arbitrary security associations.
- References: OpenBSD 3.4 [009]
http://www.openbsd.org/errata.html#isakmpd
- Solution: Apply the available patch.
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/009_isakmpd.patch
___________________________________________________________________________
* SYMANTEC - Vulnerability in LiveUpdate component
A vulnerability in the LiveUpdate component, which is providing in several
Symantec products, can allow a local user to gain elevated privileges.
- Date: January 14 2004
- Platform: Symantec Windows LiveUpdate 1.70 through 1.90
Symantec Norton SystemWorks 2001 through 2004
Symantec Norton AntiVirus and Norton AntiVirus Pro 2001
through 2004
Symantec Norton Internet Security and Norton Internet
Security Pro 2001 through 2004
Symantec AntiVirus Handhelds 3.0
- Severity: Medium
- Origin: 'liveupdate' component
- Problem: Improper handling of help interface.
- Damage: Gain elevated privileges
- CVE names: CAN-2003-0994
- Description: During an interactive LiveUpdate session , a local user can
manipulate LiveUpdate help interface to gain 'cmd.exe'
shell command with 'SYSTEM' privileges.
- References: Symantec [SYM04-001]
http://www.sarc.com/avcenter/security/Content/2004.01.12.html
Secure Network Operations [SRT2004-01-09-1022]
http://www.secnetops.biz/research/advisories/SRT2004-01-09-1022.txt
- Solution: Apply the latest version of LiveUpdate.
ftp://ftp.symantec.com/public/english_us_canada/liveupdate/lusetup.exe
___________________________________________________________________________
* MICROSOFT - Vulnerability in Exchange Server 2003
A vulnerability in Exchange Server 2003 allows to reuse HTTP connections
and then access the mailbox of another user.
- Date: January 13 2004
- Platform: Microsoft Exchange Server 2003
- Severity: Medium
- Origin: NTLM authentication
- Problem: HTTP connections can be reused
- Damage: Information disclosure
- CVE names: CAN-2003-0904
- Description: A vulnerability exists in the way HTTP connections are
reused when NTML authentication is used in Outlook Web
Access (OWA). Under specific conditions, a user accessing
his mailbox via an Exchange Server 2003 and OWA may get
connected to the mailbox of another user. Kerberos
authentication, used by default, does not make the server
vulnerable, but installation of Windows SharePoint Services
(WSS) 2.0 on Windows Server 2003 may activate the NTML
authentication and the vulnerability to appear.
- References: Microsoft [MS04-002] (832759)
http://www.microsoft.com/technet/security/Bulletin/MS04-002.asp
- Solution: Apply the available patch.
http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en
___________________________________________________________________________
INFORMATION
___________________________________________________________________________
* H.323 - Additional information on the H.323 vulnerability
Several vendors or organizations provide additional information about the
vulnerability affecting the handling of H.323 messages.
CERT [CA-2004-01]
http://www.cert.org/advisories/CA-2004-01.html
CERT [VU#749342]
http://www.kb.cert.org/vuls/id/749342
ISS X-Force [160]
http://xforce.iss.net/xforce/alerts/id/160
Some Avaya, Nortel Networks, RadVision and TandBerg products are also
vulnerable.
http://support.avaya.com/japple/css/japple?temp.documentID=158718&PAGE=avaya.css.CSSLvl1Detail
http://www.nortelnetworks.com/cs
http://www.radvision.com/NBU/Customer+Support.htm
University of Oulu
http://www.ee.oulu.fi/research/ouspg/protos/index.html
CAN-2003-0819
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
___________________________________________________________________________
* LINUX DEBIAN - Patch for 'CVS'
Debian has announced the availability of patch for 'cvs' on Debian Linux
3.0 (woody) fixing thus a vulnerability which allows a remote user to
create files in a arbitrary manner.
http://security.debian.org/pool/updates/main/c/cvs/
CAN-2003-0977
Debian 'cvs' [DSA-422-1] (bulletin 1119 dated 12/10/2003)
http://www.debian.org/security/2004/dsa-422
___________________________________________________________________________
REISSUES OF ALERTS
___________________________________________________________________________
* CIAC - Reissue of the Cisco 47843 alert
CIAC has reissued, under the O-050 reference, the Cisco 47843 advisory
about a denial of service during the handling of H.323 messages.
CAN-2003-0819
CIAC 'H.323' [47843] (bulletin 1142 dated 01/14/2004)
http://ciac.llnl.gov/ciac/bulletins/o-050.shtml
___________________________________________________________________________
* CIAC - Reissue of the Microsoft MS04-001 alert
CIAC has reissued, under the O-051 reference, the Microsoft MS04-001 alert
discussing a buffer overflow affecting ISA Server 2000.
CAN-2003-0819
CIAC 'H.323' [MS04-001] (bulletin 1142 dated 01/14/2004)
http://ciac.llnl.gov/ciac/bulletins/o-051.shtml
___________________________________________________________________________
* CIAC - Reissue of the Microsoft MS04-002 alert
CIAC has reissued, under de O-052 reference, the Microsoft MS04-002 about a
vulnerability in Exchange Server 2000 allowing to access to the mailbox of
an other user.
CAN-2003-0904
CIAC 'exchange', 'ntlm' [MS04-002] (bulletin 1142 dated 01/14/2004)
http://ciac.llnl.gov/ciac/bulletins/o-052.shtml
___________________________________________________________________________
* CIAC - Reissue of the Microsoft MS04-003 alert
CIAC has reissued, under the O-053 reference, the Microsoft MS04-003 alert
about a buffer overflow in MDAC allowing execution of arbitrary code.
CAN-2003-0903
CIAC 'mdac' [MS04-003] (bulletin 1142 dated 01/14/2003)
http://ciac.llnl.gov/ciac/bulletins/o-053.shtml
___________________________________________________________________________
Yours sincerely,
The Security Watch Team
--
Security Watch Service
mailto:veille-sec@apogee-com.fr
APOGEE Communications
15, Avenue du Cap Horn
ZA de Courtaboeuf
91940 LES ULIS
Tel : + 33 1 69 85 56 47
Fax : + 33 1 69 85 56 48
Technical support : + 33 1 73 23 17 00
Nota: Trademarks and products appearing in this bulletin are property
of their respective depositaries.