Weekly Vulnerabilities Reports > December 23 to 29, 2002
Overview
38 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 40 products from 29 vendors including Apple, Microsoft, Easy Software Products, Cisco, and Oracle. Vulnerabilities are notably categorized as "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Unchecked Return Value".
- 31 reported vulnerabilities are remotely exploitables.
- 38 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 7 reported vulnerabilities.
- Cisco has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
10 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2002-12-27 | CVE-2002-1584 | SGI SUN | Privilege Escalation vulnerability in Sun Solaris RPC AUTH_DES Unknown vulnerability in the AUTH_DES authentication for RPC in Solaris 2.5.1, 2.6, and 7, SGI IRIX 6.5 to 6.5.19f, and possibly other platforms, allows remote attackers to gain privileges. | 10.0 |
2002-12-26 | CVE-2002-1383 | Easy Software Products Apple | Multiple integer overflows in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allow remote attackers to execute arbitrary code via (1) the CUPSd HTTP interface, as demonstrated by vanilla-coke, and (2) the image handling code in CUPS filters, as demonstrated by mksun. | 10.0 |
2002-12-26 | CVE-2002-1369 | Easy Software Products Apple | Buffer Overflow vulnerability in CUPS strncat() Function Call jobs.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly use the strncat function call when processing the options string, which allows remote attackers to execute arbitrary code via a buffer overflow attack. | 10.0 |
2002-12-26 | CVE-2002-1367 | Easy Software Products Apple | Remote Printer Addition vulnerability in CUPS Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to add printers without authentication via a certain UDP packet, which can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a "need authorization" page, as demonstrated by new-coke. | 10.0 |
2002-12-23 | CVE-2002-1361 | SUN | Unspecified vulnerability in SUN Cobalt RAQ 4 overflow.cgi CGI script in Sun Cobalt RaQ 4 with the SHP (Security Hardening Patch) installed allows remote attackers to execute arbitrary code via a POST request with shell metacharacters in the email parameter. | 10.0 |
2002-12-23 | CVE-2002-1360 | Cisco Fissh Intersoft Netcomposite Pragma Systems Putty Winscp | Improper Input Validation vulnerability in multiple products Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, which could allow remote attackers to cause a denial of service or possibly execute arbitrary code due to interactions with the use of null-terminated strings as implemented using languages such as C, as demonstrated by the SSHredder SSH protocol test suite. | 10.0 |
2002-12-23 | CVE-2002-1359 | Cisco Fissh Intersoft Netcomposite Pragma Systems Putty Winscp | Improper Input Validation vulnerability in multiple products Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite. | 10.0 |
2002-12-23 | CVE-2002-1358 | Cisco Fissh Intersoft Netcomposite Pragma Systems Putty Winscp | Improper Input Validation vulnerability in multiple products Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite. | 10.0 |
2002-12-23 | CVE-2002-1357 | Cisco Fissh Intersoft Netcomposite Pragma Systems Putty Winscp | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite. | 10.0 |
2002-12-23 | CVE-2002-1257 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allows remote attackers to execute arbitrary code by including a Java applet that invokes COM (Component Object Model) objects in a web site or an HTML mail. | 10.0 |
18 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2002-12-26 | CVE-2002-1372 | Apple Debian | Unchecked Return Value vulnerability in multiple products Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service (resource exhaustion) by causing file descriptors to be assigned and not released, as demonstrated by fanta. | 7.5 |
2002-12-26 | CVE-2002-1371 | Easy Software Products Apple | filters/image-gif.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check for zero-length GIF images, which allows remote attackers to execute arbitrary code via modified chunk headers, as demonstrated by nogif. | 7.5 |
2002-12-26 | CVE-2002-1368 | Easy Software Products Apple | Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing negative arguments to be fed into memcpy() calls via HTTP requests with (1) a negative Content-Length value or (2) a negative length in a chunked transfer encoding. | 7.5 |
2002-12-26 | CVE-2002-1363 | Greg Roelofs | Buffer Overflow vulnerability in LibPNG Incorrect Offset Calculation Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers. | 7.5 |
2002-12-26 | CVE-2002-1327 | Microsoft | Buffer Overrun vulnerability in Microsoft Windows XP WMA/MP3 Attributes Buffer overflow in the Windows Shell function in Microsoft Windows XP allows remote attackers to execute arbitrary code via an .MP3 or .WMA audio file with a corrupt custom attribute, aka "Unchecked Buffer in Windows Shell Could Enable System Compromise." | 7.5 |
2002-12-26 | CVE-2002-1177 | Nullsoft | Buffer Overrun vulnerability in Nullsoft Winamp 3.0 Multiple buffer overflows in Winamp 3.0, when displaying an MP3 in the Media Library window, allows remote attackers to execute arbitrary code via an MP3 file containing a long (1) Artist or (2) Album ID3v2 tag. | 7.5 |
2002-12-26 | CVE-2002-1176 | Nullsoft | Remote Security vulnerability in Nullsoft Winamp 2.81 Buffer overflow in Winamp 2.81 allows remote attackers to execute arbitrary code via a long Artist ID3v2 tag in an MP3 file. | 7.5 |
2002-12-23 | CVE-2002-1382 | Macromedia | SWF Buffer Overflow vulnerability in Macromedia Flash Macromedia Flash Player before 6.0.65.0 allows remote attackers to execute arbitrary code via certain malformed data headers in Shockwave Flash file format (SWF) files, a different issue than CAN-2002-0846. | 7.5 |
2002-12-23 | CVE-2002-1376 | Oracle Symantec Veritas | Buffer Overflow vulnerability in MySQL libmysqlclient Library Read_Rows libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code. | 7.5 |
2002-12-23 | CVE-2002-1375 | Oracle Symantec Veritas | The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4.0.6, allows remote attackers to execute arbitrary code via a long response. | 7.5 |
2002-12-23 | CVE-2002-1374 | Oracle Symantec Veritas | The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password. | 7.5 |
2002-12-23 | CVE-2002-1365 | Fetchmail | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Fetchmail Heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not account for the "@" character when determining buffer lengths for local addresses, which allows remote attackers to execute arbitrary code via a header with a large number of local addresses. | 7.5 |
2002-12-23 | CVE-2002-1350 | LBL | Unspecified vulnerability in LBL Tcpdump The BGP decoding routines in tcpdump 3.6.x before 3.7 do not properly copy data, which allows remote attackers to cause a denial of service (application crash). | 7.5 |
2002-12-23 | CVE-2002-1260 | Microsoft | Unspecified vulnerability in Microsoft products The Java Database Connectivity (JDBC) APIs in Microsoft Virtual Machine (VM) 5.0.3805 and earlier allow remote attackers to bypass security checks and access database contents via an untrusted Java applet. | 7.5 |
2002-12-26 | CVE-2002-1385 | Open Webmail | Unspecified vulnerability in Open Webmail Open Webmail openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. | 7.2 |
2002-12-23 | CVE-2002-1381 | University OF Cambridge | Unspecified vulnerability in University of Cambridge Exim 3.35/3.36/4.10 Format string vulnerability in daemon.c for Exim 4.x through 4.10, and 3.x through 3.36, allows exim administrative users to execute arbitrary code by modifying the pid_file_path value. | 7.2 |
2002-12-23 | CVE-2002-1364 | Ehud Gavron | Local Buffer Overflow vulnerability in Traceroute-nanog Buffer overflow in the get_origin function in traceroute-nanog allows attackers to execute arbitrary code via long WHOIS responses. | 7.2 |
2002-12-23 | CVE-2002-1296 | SUN | Local Root vulnerability in Solaris priocntl() System Call Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module. | 7.2 |
9 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2002-12-26 | CVE-2002-1366 | Easy Software Products Apple | Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local users with lp privileges to create or overwrite arbitrary files via file race conditions, as demonstrated by ice-cream. | 6.2 |
2002-12-24 | CVE-2002-1351 | Melange | Remote Buffer Overflow vulnerability in Melange Chat System 1.10 Buffer overflow in Melange Chat System 1.10 allows remote attackers to cause a denial of service (chat server crash) and possibly execute arbitrary code via the msgText buffer in the chat_InterpretData function, as demonstrated via a long Nick (nickname) request. | 5.0 |
2002-12-23 | CVE-2002-1373 | Oracle | Unspecified vulnerability in Oracle Mysql Signed integer vulnerability in the COM_TABLE_DUMP package for MySQL 3.23.x before 3.23.54 allows remote attackers to cause a denial of service (crash or hang) in mysqld by causing large negative integers to be provided to a memcpy call. | 5.0 |
2002-12-23 | CVE-2002-1362 | Matthew Smith | Denial Of Service vulnerability in mICQ mICQ 0.4.9 and earlier allows remote attackers to cause a denial of service (crash) via malformed ICQ message types without a 0xFE separator character. | 5.0 |
2002-12-23 | CVE-2002-1345 | Ncftp Software Openbsd SUN | Directory traversal vulnerabilities in multiple FTP clients on UNIX systems allow remote malicious FTP servers to create or overwrite files as the client user via filenames containing /absolute/path or .. | 5.0 |
2002-12-23 | CVE-2002-1325 | Microsoft | Information Disclosure vulnerability in Microsoft Java Virtual Machine user.dir Access Microsoft Virtual Machine (VM) build 5.0.3805 and earlier allows remote attackers to determine a local user's username via a Java applet that accesses the user.dir system property, aka "User.dir Exposure Vulnerability." | 5.0 |
2002-12-23 | CVE-2002-1258 | Microsoft | Unspecified vulnerability in Microsoft products Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error. | 5.0 |
2002-12-23 | CVE-2002-1256 | Microsoft | Unspecified vulnerability in Microsoft products The SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g. | 5.0 |
2002-12-23 | CVE-2002-1377 | VIM Development Group | Unspecified vulnerability in VIM Development Group VIM vim 6.0 and 6.1, and possibly other versions, allows attackers to execute arbitrary commands using the libcall feature in modelines, which are not sandboxed but may be executed when vim is used to edit a malicious file, as demonstrated using mutt. | 4.6 |
1 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2002-12-23 | CVE-2002-1380 | Linux | Local Denial of Service vulnerability in Linux Kernel 2.2 mmap() Linux kernel 2.2.x allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface. | 2.1 |