Weekly Vulnerabilities Reports > October 28 to November 3, 2002

Overview

34 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 43 products from 26 vendors including Microsoft, Mozilla, SUN, Cisco, and IBM. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", and "Permissions, Privileges, and Access Controls".

  • 31 reported vulnerabilities are remotely exploitables.
  • 34 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 4 reported vulnerabilities.
  • KTH has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-10-28 CVE-2002-1226 KTH Unspecified vulnerability in KTH Heimdal

Unknown vulnerabilities in Heimdal before 0.5 with unknown impact, possibly in the (1) kadmind and (2) kdc servers, may allow remote or local attackers to gain root or other access, but not via buffer overflows (CVE-2002-1225).

10.0
2002-10-28 CVE-2002-1225 KTH Unspecified vulnerability in KTH Heimdal

Multiple buffer overflows in Heimdal before 0.5, possibly in both the (1) kadmind and (2) kdc servers, may allow remote attackers to gain root access.

10.0
2002-10-28 CVE-2002-1215 Linux HA Remote Buffer Overflow vulnerability in Linux-Ha Heartbeat 0.4.9

Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier (claimed as buffer overflows in some sources) allow remote attackers to execute arbitrary code via certain packets to UDP port 694 (incorrectly claimed as TCP in some sources).

10.0
2002-10-28 CVE-2002-1145 Microsoft Privilege Escalation vulnerability in Microsoft Data Engine and SQL Server

The xp_runwebtask stored procedure in the Web Tasks component of Microsoft SQL Server 7.0 and 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000 can be executed by PUBLIC, which allows an attacker to gain privileges by updating a webtask that is owned by the database owner through the msdb.dbo.mswebtasks table, which does not have strong permissions.

10.0

16 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-10-28 CVE-2002-1229 Avaya Unspecified vulnerability in Avaya products

Avaya Cajun switches P880, P882, P580, and P550R 5.2.14 and earlier contain undocumented accounts (1) manuf and (2) diag with default passwords, which allows remote attackers to gain privileges.

7.5
2002-10-28 CVE-2002-1227 PAM Authentication Bypass vulnerability in PAM 0.76

PAM 0.76 treats a disabled password as if it were an empty (null) password, which allows local and remote attackers to gain privileges as disabled users.

7.5
2002-10-28 CVE-2002-1223 KDE Denial-Of-Service vulnerability in KDE 1.1/3.0.3A

Buffer overflow in DSC 3.0 parser from GSview, as used in KGhostView in KDE 1.1 and KDE 3.0.3a, may allow attackers to cause a denial of service or execute arbitrary code via a modified .ps (PostScript) input file.

7.5
2002-10-28 CVE-2002-1217 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 5.5/6.0

Cross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions.

7.5
2002-10-28 CVE-2002-1214 Microsoft Buffer Overflow vulnerability in Microsoft products

Buffer overflow in Microsoft PPTP Service on Windows XP and Windows 2000 allows remote attackers to cause a denial of service (hang) and possibly execute arbitrary code via a certain PPTP packet with malformed control data.

7.5
2002-10-28 CVE-2002-1202 Compaq Remote Route Daemon vulnerability in HP Tru64 Unspecifed

Unknown vulnerability in routed for HP Tru64 UNIX V4.0F through V5.1A allows local and remote attackers to read arbitrary files.

7.5
2002-10-28 CVE-2002-1200 Oneidentity Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Oneidentity Syslog-Ng

Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when using template filenames or output, does not properly track the size of a buffer when constant characters are encountered during macro expansion, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.

7.5
2002-10-28 CVE-2002-1198 Mozilla SQL Injection vulnerability in Bugzilla Account Creation

Bugzilla 2.16.x before 2.16.1 does not properly filter apostrophes from an email address during account creation, which allows remote attackers to execute arbitrary SQL via a SQL injection attack.

7.5
2002-10-28 CVE-2002-1197 Mozilla Unspecified vulnerability in Mozilla Bugzilla

bugzilla_email_append.pl in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, allows remote attackers to execute arbitrary code via shell metacharacters in a system call to processmail.

7.5
2002-10-28 CVE-2002-1196 Mozilla Unspecified vulnerability in Mozilla Bugzilla

editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, when the "usebuggroups" feature is enabled and more than 47 groups are specified, does not properly calculate bit values for large numbers, which grants extra permissions to users via known features of Perl math that set multiple bits.

7.5
2002-10-28 CVE-2002-1194 Netbsd Buffer Overflow vulnerability in NetBSD talkd

Buffer overflow in talkd on NetBSD 1.6 and earlier, and possibly other operating systems, may allow remote attackers to execute arbitrary code via a long inbound message.

7.5
2002-10-28 CVE-2002-1190 Cisco Remote Security vulnerability in Unity Server

Cisco Unity 2.x and 3.x uses well-known default user accounts, which could allow remote attackers to gain access and place arbitrary calls.

7.5
2002-10-28 CVE-2002-1179 Microsoft Buffer Overflow vulnerability in Microsoft Outlook Express S/MIME

Buffer overflow in the S/MIME Parsing capability in Microsoft Outlook Express 5.5 and 6.0 allows remote attackers to execute arbitrary code via a digitally signed email with a long "From" address, which triggers the overflow when the user views or previews the message.

7.5
2002-10-28 CVE-2002-0836 HP
Mandrakesoft
Redhat
dvips converter for Postscript files in the tetex package calls the system() function insecurely, which allows remote attackers to execute arbitrary commands via certain print jobs, possibly involving fonts.
7.5
2002-10-29 CVE-2002-1590 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Solaris and Sunos

The Web-Based Enterprise Management (WBEM) packages (1) SUNWwbdoc, (2) SUNWwbcou, (3) SUNWwbdev and (4) SUNWmgapp packages, when installed using Solaris 8 Update 1/01 or later, install files with world or group write permissions, which allows local users to gain root privileges or cause a denial of service.

7.2
2002-10-28 CVE-2002-1222 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Catos

Buffer overflow in the embedded HTTP server for Cisco Catalyst switches running CatOS 5.4 through 7.3 allows remote attackers to cause a denial of service (reset) via a long HTTP request.

7.1

13 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-10-28 CVE-2002-1228 SUN Remote Denial of Service vulnerability in Solaris NFS lockd

Unknown vulnerability in NFS on Solaris 2.5.1 through Solaris 9 allows an NFS client to cause a denial of service by killing the lockd daemon.

5.0
2002-10-28 CVE-2002-1224 KDE Unspecified vulnerability in KDE

Directory traversal vulnerability in kpf for KDE 3.0.1 through KDE 3.0.3a allows remote attackers to read arbitrary files as the kpf user via a URL with a modified icon parameter.

5.0
2002-10-28 CVE-2002-1216 GNU Remote Security vulnerability in tar

GNU tar 1.13.19 and other versions before 1.13.25 allows remote attackers to overwrite arbitrary files via a symlink attack, as the result of a modification that effectively disabled the security check.

5.0
2002-10-28 CVE-2002-1213 Radiobird Software Directory Traversal vulnerability in Radiobird Software Webserver 4 ALL 1.23/1.27

Directory traversal vulnerability in RadioBird Software WebServer 4 Everyone 1.23 and 1.27, and other versions before 1.30, allows remote attackers to read arbitrary files via an HTTP request with ".." (dot-dot) sequences containing URL-encoded forward slash ("%2F") characters.

5.0
2002-10-28 CVE-2002-1212 Radiobird Software Buffer Overflow vulnerability in Radiobird Software Webserver 4 ALL 1.23/1.27

Buffer overflow in RadioBird Software WebServer 4 Everyone 1.23 and 1.27, and other versions before 1.30, allows remote attackers to cause a denial of service (crash) via a long HTTP GET request.

5.0
2002-10-28 CVE-2002-1203 IBM Resource Management Errors vulnerability in IBM Secureway Firewall 4.2/4.2.1

IBM SecureWay Firewall before 4.2.2 performs extra processing before determining that a packet is invalid and dropping it, which allows remote attackers to cause a denial of service (resource exhaustion) via a flood of malformed TCP packets without any flags set.

5.0
2002-10-28 CVE-2002-1201 IBM Remote Empty TCP Flag Flood Denial Of Service vulnerability in IBM AIX 4.3.3/5

IBM AIX 4.3.3 and AIX 5 allows remote attackers to cause a denial of service (CPU consumption or crash) via a flood of malformed TCP packets without any flags set, which prevents AIX from releasing the associated memory buffers.

5.0
2002-10-28 CVE-2002-1199 Caldera
SCO
SUN
Local File Disclosure vulnerability in ypxfrd

The getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments.

5.0
2002-10-28 CVE-2002-1191 Sabre Denial Of Service vulnerability in Sabre Desktop Reservation Software Client

The Sabserv client component in Sabre Desktop Reservation Software 4.2 through 4.4 allows remote attackers to cause a denial of service via malformed input to TCP port 1001.

5.0
2002-10-28 CVE-2002-1118 Oracle Remote Denial Of Service vulnerability in Oracle TNS Listener Service_CurLoad

TNS Listener in Oracle Net Services for Oracle 9i 9.2.x and 9.0.x, and Oracle 8i 8.1.x, allows remote attackers to cause a denial of service (hang or crash) via a SERVICE_CURLOAD command.

5.0
2002-10-28 CVE-2002-0990 Symantec Denial of Service vulnerability in Multiple Symantec HTTP Proxy

The web proxy component in Symantec Enterprise Firewall (SEF) 6.5.2 through 7.0, Raptor Firewall 6.5 and 6.5.3, VelociRaptor, and Symantec Gateway Security allow remote attackers to cause a denial of service (connection resource exhaustion) via multiple connection requests to domains whose DNS server is unresponsive or does not exist, which generates a long timeout.

5.0
2002-10-28 CVE-2002-1192 Rogue
Netbsd
Local Buffer Overflow vulnerability in Rogue

Multiple buffer overflows in rogue on NetBSD 1.6 and earlier, FreeBSD 4.6, and possibly other operating systems, allows local users to gain "games" group privileges via malformed entries in a game save file.

4.6
2002-10-28 CVE-2002-1195 Gabriele Bartolini Unspecified vulnerability in Gabriele Bartolini HT Check 1.1

Cross-site scripting vulnerability (XSS) in the PHP interface for ht://Check 1.1 allows remote web servers to insert arbitrary HTML, including script, via a web page.

4.3

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-10-28 CVE-2002-1193 Tkmail Unspecified vulnerability in Tkmail

tkmail before 4.0beta9-8.1 allows local users to create or overwrite files as users via a symlink attack on temporary files.

2.1