Weekly Vulnerabilities Reports > June 18 to 24, 2001

Overview

51 new vulnerabilities reported during this period, including 8 critical vulnerabilities and 19 high severity vulnerabilities. This weekly summary report vulnerabilities in 61 products from 40 vendors including SUN, Cisco, Freebsd, HP, and Openbsd. Vulnerabilities are notably categorized as and "Improper Input Validation".

  • 39 reported vulnerabilities are remotely exploitables.
  • 51 reported vulnerabilities are exploitable by an anonymous user.
  • SUN has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • HP has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

8 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-06-23 CVE-2001-1162 Samba
HP
Remote Arbitrary File Creation vulnerability in Samba

Directory traversal vulnerability in the %m macro in the smb.conf configuration file in Samba before 2.2.0a allows remote attackers to overwrite certain files via a ..

10.0
2001-06-21 CVE-2001-1078 Extremail Remote Format String vulnerability in eXtremail

Format string vulnerability in flog function of eXtremail 1.1.9 and earlier allows remote attackers to gain root privileges via format specifiers in the SMTP commands (1) HELO, (2) EHLO, (3) MAIL FROM, or (4) RCPT TO, and the POP3 commands (5) USER and (6) other commands that can be executed after POP3 authentication.

10.0
2001-06-19 CVE-2001-1080 IBM Unspecified vulnerability in IBM AIX 4.3/5.1

diagrpt in AIX 4.3.x and 5.1 uses the DIAGDATADIR environment variable to find and execute certain programs, which allows local users to gain privileges by modifying the variable to point to a Trojan horse program.

10.0
2001-06-18 CVE-2001-0414 Dave Mills Remote Buffer Overflow vulnerability in Dave Mills Ntpd and Xntp3

Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.

10.0
2001-06-18 CVE-2001-0372 Akopia Unspecified vulnerability in Akopia Interchange 4.5.3

Akopia Interchange 4.5.3 through 4.6.3 installs demo stores with a default group account :backup with no password, which allows a remote attacker to gain administrative access via the demo stores (1) barry, (2) basic, or (3) construct.

10.0
2001-06-18 CVE-2001-0249 SUN Heap Overflow vulnerability in Solaris ftpd glob() Expansion LIST

Heap overflow in FTP daemon in Solaris 8 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the LIST command, which uses glob to generate long strings.

10.0
2001-06-18 CVE-2001-0248 HP Buffer Overflow vulnerability in HP HP-UX

Buffer overflow in FTP server in HPUX 11 allows remote attackers to execute arbitrary commands by creating a long pathname and calling the STAT command, which uses glob to generate long strings.

10.0
2001-06-18 CVE-2001-0247 MIT
SGI
Freebsd
Netbsd
Openbsd
Buffer Overflow vulnerability in Multiple Vendor BSD ftpd glob()

Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.

10.0

19 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-06-22 CVE-2001-1328 SUN Unspecified vulnerability in SUN Sunos

Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code.

7.5
2001-06-19 CVE-2001-1459 Openbsd Unspecified vulnerability in Openbsd Openssh

OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication Module (PAM) session if commands are executed with no pty, which allows local users to bypass resource limits (rlimits) set in pam.d.

7.5
2001-06-18 CVE-2001-1160 Microburst Remote Command Execution vulnerability in Microburst Udirectory 2.0

udirectory.pl in Microburst Technologies uDirectory 2.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the category_file field.

7.5
2001-06-18 CVE-2001-0483 Symantec Unspecified vulnerability in Symantec Raptor Firewall 6.5

Configuration error in Axent Raptor Firewall 6.5 allows remote attackers to use the firewall as a proxy to access internal web resources when the http.noproxy Rule is not set.

7.5
2001-06-18 CVE-2001-0447 Software602 Denial of Service vulnerability in Software602 602Pro LAN Suite 2000A2000.0.1.34

Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long HTTP request containing "%2e" (dot dot) characters.

7.5
2001-06-18 CVE-2001-0433 Micheal Lamont Denial-Of-Service vulnerability in Micheal Lamont Savant Webserver 3.0

Buffer overflow in Savant 3.0 web server allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Host HTTP header.

7.5
2001-06-18 CVE-2001-0410 Trend Micro Denial-Of-Service vulnerability in Trend Micro Virus Buster 2001 8.02

Buffer overflow in Trend Micro Virus Buster 2001 8.02 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long "From" header.

7.5
2001-06-18 CVE-2001-0402 Darren Reed
Freebsd
Openbsd
IPFilter 3.4.16 and earlier does not include sufficient session information in its cache, which allows remote attackers to bypass access restrictions by sending fragmented packets to a restricted port after sending unfragmented packets to an unrestricted port.
7.5
2001-06-18 CVE-2001-0398 Ritlabs Unspecified vulnerability in Ritlabs the BAT

The BAT! mail client allows remote attackers to bypass user warnings of an executable attachment and execute arbitrary commands via an attachment whose file name contains many spaces, which also causes the BAT! to misrepresent the attachment's type with a different icon.

7.5
2001-06-18 CVE-2001-0397 Silent Runner Denial-Of-Service vulnerability in Silent Runner Silent Runner Collector SRC 1.6.1

Buffer overflow in Silent Runner Collector (SRC) 1.6.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long SMTP HELO command.

7.5
2001-06-18 CVE-2001-0382 Broadcom Unspecified vulnerability in Broadcom CCC Harvest 5.0

Computer Associates CCC\Harvest 5.0 for Windows NT/2000 uses weak encryption for passwords, which allows a remote attacker to gain privileges on the application.

7.5
2001-06-18 CVE-2001-0376 Sonicwall Remote Security vulnerability in Tele2

SonicWALL Tele2 and SOHO firewalls with 6.0.0.0 firmware using IPSEC with IKE pre-shared keys do not allow for the use of full 128 byte IKE pre-shared keys, which is the intended design of the IKE pre-shared key, and only support 48 byte keys.

7.5
2001-06-18 CVE-2001-0374 Compaq Security Bypass vulnerability in Web-Enabled Management

The HTTP server in Compaq web-enabled management software for (1) Foundation Agents, (2) Survey, (3) Power Manager, (4) Availability Agents, (5) Intelligent Cluster Administrator, and (6) Insight Manager can be used as a generic proxy server, which allows remote attackers to bypass access restrictions via the management port, 2301.

7.5
2001-06-18 CVE-2001-0263 Gene6 Unspecified vulnerability in Gene6 G6 FTP Server 2.0

Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows attackers to read file attributes outside of the web root via the (1) SIZE and (2) MDTM commands when the "show relative paths" option is not enabled.

7.5
2001-06-18 CVE-2001-0482 Argus Systems Denial-Of-Service vulnerability in Pitbull Lx

Configuration error in Argus PitBull LX allows root users to bypass specified access control restrictions and cause a denial of service or execute arbitrary commands by modifying kernel variables such as MaxFiles, MaxInodes, and ModProbePath in /proc/sys via calls to sysctl.

7.2
2001-06-18 CVE-2001-0412 Cisco Unspecified vulnerability in Cisco products

Cisco Content Services (CSS) switch products 11800 and earlier, aka Arrowpoint, allows local users to gain privileges by entering debug mode.

7.2
2001-06-18 CVE-2001-0403 SUN Local Security vulnerability in SUN Sunos 5.0

/opt/JSparm/bin/perfmon program in Solaris allows local users to create arbitrary files as root via the Logging File option in the GUI.

7.2
2001-06-18 CVE-2001-0401 SUN Buffer Overflow vulnerability in SUN Solaris and Sunos

Buffer overflow in tip in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.

7.2
2001-06-18 CVE-2001-0427 Cisco Improper Input Validation vulnerability in Cisco products

Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via a flood of invalid login requests to (1) the SSL service, or (2) the telnet service, which do not properly disconnect the user after several failed login attempts.

7.1

20 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-06-18 CVE-2001-0380 Crosscom Olicom Remote Security vulnerability in Xlt-F

Crosscom/Olicom XLT-F running XL 80 IM Version 5.5 Build Level 2 allows a remote attacker SNMP read and write access via a default, undocumented community string 'ILMI'.

6.4
2001-06-22 CVE-2001-0906 Tetex Unspecified vulnerability in Tetex

teTeX filter before 1.0.7 allows local users to gain privileges via a symlink attack on temporary files that are produced when printing .dvi files using lpr.

6.2
2001-06-18 CVE-2001-0371 Freebsd Unspecified vulnerability in Freebsd

Race condition in the UFS and EXT2FS file systems in FreeBSD 4.2 and earlier, and possibly other operating systems, makes deleted data available to user processes before it is zeroed out, which allows a local user to access otherwise restricted information.

6.2
2001-06-18 CVE-2001-0408 VIM Development Group Unspecified vulnerability in VIM Development Group VIM 5.7

vim (aka gvim) processes VIM control codes that are embedded in a file, which could allow attackers to execute arbitrary commands when another user opens a file containing malicious VIM control codes.

5.1
2001-06-18 CVE-2001-0466 Microburst Directory Traversal vulnerability in Microburst Ustorekeeper Online Shopping System 1.61

Directory traversal vulnerability in ustorekeeper 1.61 allows remote attackers to read arbitrary files via a ..

5.0
2001-06-18 CVE-2001-0448 Software602 Denial-Of-Service vulnerability in 602Pro Lan Suite

Web configuration server in 602Pro LAN SUITE allows remote attackers to cause a denial of service via an HTTP GET HTTP request to the aux directory, and possibly other directories with legacy DOS device names.

5.0
2001-06-18 CVE-2001-0446 IBM Remote Security vulnerability in IBM Websphere Commerce Suite 4.0.1

IBM WCS (WebSphere Commerce Suite) 4.0.1 with Application Server 3.0.2 allows remote attackers to read source code for .jsp files by appending a / to the requested URL.

5.0
2001-06-18 CVE-2001-0420 WAY TO THE WEB Directory Traversal vulnerability in WAY TO the web Talkback 1.1

Directory traversal vulnerability in talkback.cgi program allows remote attackers to read arbitrary files via a ..

5.0
2001-06-18 CVE-2001-0413 Bintec Unspecified vulnerability in Bintec X1000, X1200 and X4000

BinTec X4000 Access router, and possibly other versions, allows remote attackers to cause a denial of service via a SYN port scan, which causes the router to hang.

5.0
2001-06-18 CVE-2001-0411 Siemens Denial-Of-Service vulnerability in Siemens Reliant Unix 5.44

Reliant Unix 5.44 and earlier allows remote attackers to cause a denial of service via an ICMP port unreachable packet, which causes Reliant to drop all connections to the source address of the packet.

5.0
2001-06-18 CVE-2001-0404 SUN Directory Traversal vulnerability in SUN Javaserver web DEV KIT 1.0.1

Directory traversal vulnerability in JavaServer Web Dev Kit (JSWDK) 1.0.1 allows remote attackers to read arbitrary files via a ..

5.0
2001-06-18 CVE-2001-0399 Caucho Technology Unspecified vulnerability in Caucho Technology Resin 1.2/1.3

Caucho Resin 1.3b1 and earlier allows remote attackers to read source code for Javabean files by inserting a .jsp before the WEB-INF specifier in an HTTP request.

5.0
2001-06-18 CVE-2001-0393 Navision Denial-Of-Service vulnerability in Navision Financials Server 2.0

Navision Financials Server 2.0 allows remote attackers to cause a denial of service via a series of connections to the server without providing a username/password combination, which consumes the license limits.

5.0
2001-06-18 CVE-2001-0392 Navision Unspecified vulnerability in Navision Financials Server 2.50

Navision Financials Server 2.60 and earlier allows remote attackers to cause a denial of service by sending a null character and a long string to the server port (2407), which causes the server to crash.

5.0
2001-06-18 CVE-2001-0383 Francisco Burzi Remote Ad Banner URL Change vulnerability in PHP Nuke

banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.

5.0
2001-06-18 CVE-2001-0377 Infradig Unspecified vulnerability in Infradig Inframail

Infradig Inframail prior to 3.98a allows a remote attacker to create a denial of service via a malformed POST request which includes a space followed by a large string.

5.0
2001-06-18 CVE-2001-0375 Cisco Denial of Service vulnerability in Cisco PIX Firewall 515 and PIX Firewall 520

Cisco PIX Firewall 515 and 520 with 5.1.4 OS running aaa authentication to a TACACS+ server allows remote attackers to cause a denial of service via a large number of authentication requests.

5.0
2001-06-18 CVE-2001-0264 Gene6 Unspecified vulnerability in Gene6 G6 FTP Server 2.0

Gene6 G6 FTP Server 2.0 (aka BPFTP Server 2.10) allows remote attackers to obtain NETBIOS credentials by requesting information on a file that is in a network share, which causes the server to send the credentials to the host that owns the share, and allows the attacker to sniff the connection.

5.0
2001-06-18 CVE-2001-0465 Intuit Information Disclosure vulnerability in Turbo Tax

TurboTax saves passwords in a temporary file when a user imports investment tax information from a financial institution, which could allow local users to obtain sensitive information.

4.6
2001-06-18 CVE-2001-0379 HP Local Security vulnerability in HP Hp-Ux 11.11

Vulnerability in the newgrp program included with HP9000 servers running HP-UX 11.11 allows a local attacker to obtain higher access rights.

4.6

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-06-18 CVE-2001-0409 VIM Development Group Unspecified vulnerability in VIM Development Group VIM 5.7

vim (aka gvim) allows local users to modify files being edited by other users via a symlink attack on the backup and swap files, when the victim is editing the file in a world writable directory.

2.1
2001-06-18 CVE-2001-0373 Microsoft Unspecified vulnerability in Microsoft Windows 2000 and Windows NT

The default configuration of the Dr.

2.1
2001-06-18 CVE-2001-0265 PGP Unspecified vulnerability in PGP 5

ASCII Armor parser in Windows PGP 7.0.3 and earlier allows attackers to create files in arbitrary locations via a malformed ASCII armored file.

2.1
2001-06-21 CVE-2001-1276 Itcorp Unspecified vulnerability in Itcorp Ispell

ispell before 3.1.20 allows local users to overwrite files of other users via a symlink attack on a temporary file.

1.2