IDGNet Virus & Security Watch Friday 5 December 2003

This issue's topics: Introduction: * Linux kernel, rsync, Sun ONE/iPlanet, mod_python updates; more Mimails Virus News: * Another week, another Mimail (or two)... Security News: * Critical Linux kernel update * rsync patched to fix remotely exploitable heap overflow * Fix for Cisco Aironet AP's divulging WEP key via SNMP * Update fixes DoS in Sun ONE/iPlanet Web Server for Windows * mod_python update fixes denial of service string-handling flaw

This issue's topics:

Introduction:

* Linux kernel, rsync, Sun ONE/iPlanet, mod_python updates; more Mimails

Virus News:

* Another week, another Mimail (or two)...

Security News:

* Critical Linux kernel update

* rsync patched to fix remotely exploitable heap overflow

* Fix for Cisco Aironet AP's divulging WEP key via SNMP

* Update fixes DoS in Sun ONE/iPlanet Web Server for Windows

* mod_python update fixes denial of service string-handling flaw

Introduction:

Two critical Linux updates this week, with one being a severe local root privilege escalation. Also fixes for Cisco Aironet wireless LAN access points and a couple of fixes for denial of service vulnerabilities two popular web servers - Sun ONE/iPlanet and Apache (if the popular mod_python module is installed).

Things have been rather quiet on the virus front this week, although two new Mimail variants were released. One of these added a little technical interest with its use of zip archive password protection in an apparent attempt to get its seeding run past common e-mail content scanner policies.

Virus News:

* Another week, another Mimail (or two)...

Continuing the trend of the past few weeks, we get to report the recent release of two more Mimail variants. Mimail.L continues the payload of several earlier variants, engaging any victim machines in a denial of service attack against various staunch anti-spam sites such as spamcop.net, spamhaus.org and spews.org. It also tries to instigate another form of attack against these sites, implicating them in the message body as the source of the virus' messages. This message suggests that a CD of child porn the recipient has ordered has been dispatched and the recipient's credit card will be billed $22.95 weekly for this child porn service. The virus writer's hope here is presumably to cause many 'upset' recipients of the virus' e-mail messages to call or otherwise try to directly contact the staff of these anti-spam sites. This aspect of the virus is also covered in the news article from The Register we have included with the usual antivirus vendor links below.

Mimail.M is of interest because its initial seeding distribution (where the virus was e-mailed via a large spam run) included the virus not in its traditional zip archived form, but in a password-protected .ZIP attachment. The password, and instructions to use it to unpack the program, were included in the e-mail message. This was presumably an attempt to get the virus past many e-mail virus scanners that simply pass encrypted .ZIP attachments on to the intended recipient. The virus itself does not have the functionality to produce such encrypted .ZIP attachments, but it is an interesting development that the virus writers may be starting to toy with such tactics.

Fortunately it seems that neither variant will become anywhere near as widespread as some of the earlier members of this family.

Mimail variant attacks anti-spam sites. Again - theregister.co.uk

Computer Associates Virus Information Center (37681)

Computer Associates Virus Information Center (37692)

F-Secure Security Information Center (mimail_l)

F-Secure Security Information Center (mimail_m)

Network Associates Virus Information Library (100846)

Network Associates Virus Information Library (100856)

Sophos Virus Info (mimail_l)

Sophos Virus Info (mimail_m)

Symantec Security Response (mimail.l)

Symantec Security Response (mimail.m)

Trend Micro Virus Information Center (mimail.l)

Trend Micro Virus Information Center (mimail.m)

Security News:

* Critical Linux kernel update

Researchers from Polish iSEC Security Research have shown how lack of bounds-checking on the do_brk() function of the Linux kernel 2.4.22 and earlier can be exploited easily on x86 machines. Successful exploitation of this bug gives full system access, allowing any local user to gain root access. A new kernel version, 2.4.23 (and an updated developmental kernel), fixing this vulnerability has been released, as have various kernel update packages rolling the fix into existing distribution kernels.

Several exploits of this have been publicly released so Linux administrators are well-advised to obtain suitable updates from their preferred sources and install them as soon as is practicable.

Linux kernel do_brk() lacks argument bound checking - isec.pl

* rsync patched to fix remotely exploitable heap overflow

The developers of rsync have released an updated version, 2.5.7, that fixes a remotely exploitable heap overflow in rsync 2.5.6 when used as an rsync server. Exploiting this vulnerability would not normally give an attacker root access, but in combination with a local root exploit (such as the one described in the Linux kernel update item above), it could lead to a serious compromise of the system running the rsync server.

An archived copy of the rsync security advisory, originally posted to a mailing list, is linked below. It contains more details of the vulnerability, a recent system compromise exploiting the vulnerability and links to updated versions. Most Linux distributions that include rsync have already shipped update packages for those who prefer not building their own...

rsync security advisory - samba.org

* Fix for Cisco Aironet AP's divulging WEP key via SNMP

Cisco has released fixes for its Aironet AP 1100, 1200 and 1400 series running Cisco IOS. This update fixes the situation in which these wireless access points (APs) will send their static WEP key in plain text in response to an SNMP request. This only occurs if the non-default 'snmp-server enable traps wlan-wep' command has been enabled in the AP's configuration. Such a configuration could disclose an AP's static WEP key to an attacker sniffing traffic to and from the AP and ease subsequent access to the AP should it not require more advanced authentication and encryption methods.

More details, including how to obtain the updates, are in the Cisco security advisory linked below.

SNMP Trap Reveals WEP Key in Cisco Aironet Access Point - cisco.com

* Update fixes DoS in Sun ONE/iPlanet Web Server for Windows

Sun has released updates in the form of new service packs for it Sun ONE/iPlanet Web Server to fix an unspecified denial of service vulnerability in these products. Versions 4.1 Service Pack 12 (and earlier) and 6.0 Service Pack 5 (and earlier) running on Windows platforms are affected, but not other platforms. Links to the new service packs are included in the Sun Security Alert linked below.

Sun ONE Web Server "Denial of Service" Vulnerability - sun.com

* mod_python update fixes denial of service string-handling flaw

The Apache Software Foundation has announced updates to the popular mod_python module for the Apache web server. A string-handling flaw in earlier versions of mod_python could cause Apache's httpd server process to crash. This is fixed in the mod_python 2.7.9 and 3.0.4 releases (used with Apache 1.3 and 2.0 versions respectively).

An archived copy of the release announcement, originally posted to a mailing list, is linked below and contains links to download locations for these updates.

Archived mod_python list message - securityfocus.com

Join the newsletter!

Error: Please check your email address.

More about AironetApacheApache Software FoundationCA TechnologiesCiscoF-SecureiPlanetLANLinuxSNMPSophosSymantecTrend Micro Australia

Show Comments
[]