U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Bulletin (SB04-035)

Summary of Security Items from January 21 through February 3, 2004

Original release date: September 22, 2004

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

Publications by US-CERT | Publications by Vendors | Publications by Third Parties


Publications by US-CERT

Vulnerabilities in Microsoft Internet Explorer

Microsoft Security Bulletin MS04-004 describes three vulnerabilities in Internet Explorer that have impacts ranging from disguising the true location of a URL to executing arbitrary commands or code.

W32/MyDoom.B Virus

A variant of the W32/MyDoom (W32/Novarg.A) virus, W32/MyDoom.B infects Microsoft Windows systems. Like its predecessor, W32/MyDoom.B propagates via email and P2P networks and requires that a user intentionally run an executable file in order to infect a system. This virus may be designed to cease functioning on March 1, 2004. VU#434566: Apache mod_rewrite vulnerable to buffer overflow via crafted regular expression
A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.

VU#549142: Apache mod_alias vulnerable to buffer overflow via crafted regular expression
A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.

VU#602734: Cisco default install of IBM Director agent fails to authenticate users for remote administration
Cisco IBM Director agent fails to authenticate users for remote administration.

VU#721092: Cisco IBM Director agent does not properly handle arbitrary TCP packets to port 14247/tcp
Cisco IBM Director agent does not properly handle arbitrary TCP packets to port 14247/tcp.

VU#509454: HP-UX shar utility creates files with predictable names in "/tmp" directory
The shar program distributed with some versions of the HP-UX operating system creates files insecurely. This vulnerability could allow local users to gain escalated privilege on the system.

VU#820798: KDE Personal Information Management suite "kdepim" contains a buffer overflow vulnerability in VCF information reader
KDE Personal Information Management suite "kdepim" contains a buffer overflow vulnerability. Exploitation of this vulnerability could lead to the arbitrary execution of commands.

VU#530660: Microsoft Exchange Server 2003 fails to assign user credentials to proper mailbox A flaw in the authentication mechanism that Microsoft Exchange Server 2003 uses for Outlook Web Access users in some configurations could expose another user's mailbox.

VU#927630: NetScreen-Security Manager fails to encrypt communications with managed devices
A vulnerability in the NetScreen-Security Manager software could expose sensitive information in cleartext over the network.

VU#702526: Sun Solaris allows unprivileged local user to load arbitrary kernel modules
Sun Solaris allows an unprivileged local user to load arbitrary kernel modules.

Back to top



Publications by Vendors

Apache Software Foundation

The Apache Software Foundation released information regarding a vulnerability in mod_python. For more information, see

Apple

Apple released security updates to MacOS X and MacOS X Server. For more information, see

Cisco

Cisco Systems released updates for vulnerabilities related to certain problems in Cisco 6000/6500/7600 series systems and incorrectly formed layer 2 frames, vulnerabilities in Microsoft Windows which affect certain Cisco products, and certain Cisco voice products installed on the IBM platform. For more information, see

Debian

Debian released updates to crawl, perl, trr19, and gnupg. For more information, see

FreeBSD

FreeBSD released information regarding vulnerabilities in mksnap_ffs. For more information, see

Gentoo

Gentoo released updates related to GAIM, mod_python, and Honeyd. For more information, see

Hewlett Packard

Hewlett Packard released a security update describing a problem in Bind 8 for OpenVMS. Hewlett Packard has also revised previous bulletins describing problems in BIND 8 for OpenVMS, OpenSSH, a system service in OpenVMS Alpha, OpenSSL and TLS on Tru64 UNIX, and the way various programs handle certain types of network traffic. For more information, see

Macromedia

Macromedia released two updates related to Coldfusion MX. For more information, see

Mandrake

Mandrake released updates to gaim, php-ini, tcpdump, mc, jabber, slocate, mrproject, dhcp, and qt3. For more information, see

Microsoft

Microsoft released two security updates to Windows, and a security update to Microsoft Exchange and IAServer.

Novell

Novell issued updates to HTTPSTK.NLM , iChain 2.2, and eDirectory prior to 8.7.3. For more information, see

Red Hat

Red Hat released updates related to NetPBM, mc, an updated kernel that address a number of issues, util-linux, Gaim, and slocate. Note that the origianl bulletin regarding mc was superceded. Additionally, Red Hat released an update to Fedora Core regarding slocate. For more information, see

SGI

SGI released updates related to do_mremap(), kmod, frm (part of elm), CVS, tcpdump, Ethereal, html2ps, Safe.pm, gzexe and gznew, libdesktopicon.so, and gr_osview. For more information, see

Slackware

Slackware has released information regarding GAIM. for more information, see

Sun Microsystems

Sun Microsystems released security updates describing problems in Sun ONE/iPlanet Webserver, in.named (BIND), the tcsetattr(3C) library function, the pfexec command, Solaris IKE, SunForum, OpenSSL and TLS on SunPlex systems, Safe.pm and CGI.pm perl modules, and Loadable Kernel Modules. Additionally, Sun withdrew two patches previously released for the Basic Security Module. For more information, see

SuSE Linux

SUSE Linux has released inforamtion regarding gaim. for more information, see

Trustix

Trustix released an update regarding slocate. For more information, please see

Turbolinux

Turbolinux released updates regarding tcpdump and lftp. For more information see

Back to top



Publications by Third Parties

AusCERT

AusCERT released a varety of bulletins and alerts. For more information, see

F-Secure

F-Secure released information about Lovsan.H, Mydoom, Mydoom.B, Lasku, Needy.C, Mimail.S, Swen, Dumaru.AA, Dumaru.Z, Mimail.Q, UrlSpoof.E, Dumaru.Y, and Bagle.

Of these, the variants of Mydoom and Dumaru, Swen, and Bagle received high alert levels under the "F-Secure Radar."

ISS

ISS released an alert regarding MyDoom, as well as several summary documents. For more information, see

Network Associates

Network Associates has released information on MS Vulnerabilities, Proxy-Agent, W32/Anig.worm, W32/Mimail.s@MM, W32/Mydoom.b@MM, Ntpass application, W32/Mydoom@MM, W32/Mimail.q@MM, VBS/Braco@MM, and W32/Dumaru.y@MM. For more information, see

SANS

SANS has released two version of the Consensus Security Alert. For more information, please see

Sophos

Sophos released information about W32/Agobot-CS, W32/Spybot-AF, WM97/Ortant-A, W32/Agobot-CO, Troj/Chapter-A, Troj/Control-E, Troj/Daemoni-B, Troj/Daemoni-C, W32/Agobot-P, Troj/Volver-A, W32/Agobot-CK, W32/Agobot-AD, W32/Agobot-CL, W32/Agobot-CN, W32/SdBot-W, Troj/SdBot-AP, Troj/Flood-DZ, Troj/ByteVeri-E, Troj/NoCheat-B, W32/Carpeta-C, W32/RpcSdbot-B, W32/MyDoom-B, W32/Eyeveg-B, Troj/Femad-B, W32/Agobot-CM, Troj/Winpup-C, Troj/IRCBot-U, Troj/Hidemirc-A, Troj/Ircfloo-A, W32/Mimail-S, VBS/Inor-C, W32/Dumaru-Z, W32/Argdoor-A, W32/Spybot-CJ, W32/Apsiv-A, Troj/Digits-B, Troj/AdClick-Y, Troj/Stawin-A, W32/MyDoom-A, W32/Mimail-Q, W32/Dumaru-K, Troj/Small-AW, Troj/Mahru-A, W32/Dumaru-Y, W32/Flopcopy-A, W32/Randon-AC, and W32/Randex-Z.

Symantec

Symantec released information on W32.Hostidel.Trojan.C, W32.HLLW.Chemsvy, W32.Dumaru.AD@mm, W32.Galil.F@mm, VBS.Shania, Keylogger.Stawin, W32.Randex.FC, W32.HLLW.Anig, PWSteal.Olbaid, W32.Mimail.S@mm, Backdoor.Aphexdoor, W32.IRCBot.C, W32.Mydoom.B@mm, Trojan.Bookmarker.E, W32.HLLW.Pokibat, W32.Mydoom.A@mm, W32.Mimail.Q@mm, W32.Dumaru.Z@mm, W32.Dumaru.Y@mm, Trojan.Bookmarker.D, W32.HLLW.Sanker, and Backdoor.OptixPro.13b.

Of these, W32.Dumaru.AD@mm, W32.Galil.F@mm, W32.Mydoom.B@mm, W32.Mydoom.A@mm, W32.Mimail.Q@mm, W32.Dumaru.Z@mm, and W32.Dumaru.Y@mm are rated as "High" distribution, which is an indication of how quickly a threat is able to spread.

Trend Micro

Trend Micro released information on WORM_AGOBOT.RW, WORM_MSBLAST.H, WORM_DUMARU.AB, WORM_RANDEX.FC, WORM_SDBOT.GO, WORM_SDBOT.K, WORM_AGOBOT.O, WORM_ANIG.A, WORM_MIMAIL.S, WORM_MYDOOM.B, WORM_MYDOOM.A, WORM_AGOBOT.U, WORM_MIMAIL.Q, WORM_DUMARU.Z, WORM_AGOBOT.DG, WORM_AGOBOT.FQ, WORM_DUMARU.Y, WORM_AGOBOT.W, HTML_VISAFRAUD.A, and WORM_AGOBOT.FX.

Of these, WORM_AGOBOT.FX, WORM_DUMARU.Y, WORM_AGOBOT.W, WORM_AGOBOT.FQ, WORM_DUMARU.Z, WORM_MIMAIL.Q, WORM_MYDOOM.B, WORM_MYDOOM.A, WORM_AGOBOT.U, WORM_MIMAIL.S, WORM_ANIG.A, WORM_AGOBOT.O, WORM_SDBOT.K, WORM_SDBOT.GO, WORM_RANDEX.FC, WORM_DUMARU.AB , WORM_MSBLAST.H, and WORM_AGOBOT.RW are rated as having "high" distribution potential. For more information, see

UNIRAS

UNIRAS issued a variety of bulletins and alerts. for more information, see


Copyright 2004 Carnegie Mellon University. Terms of use
Last updated
Publications by US-CERT | Publications by Vendors | Publications by Third Parties


Publications by US-CERT

Vulnerabilities in Microsoft Internet Explorer

Microsoft Security Bulletin MS04-004 describes three vulnerabilities in Internet Explorer that have impacts ranging from disguising the true location of a URL to executing arbitrary commands or code.

W32/MyDoom.B Virus

A variant of the W32/MyDoom (W32/Novarg.A) virus, W32/MyDoom.B infects Microsoft Windows systems. Like its predecessor, W32/MyDoom.B propagates via email and P2P networks and requires that a user intentionally run an executable file in order to infect a system. This virus may be designed to cease functioning on March 1, 2004. VU#434566: Apache mod_rewrite vulnerable to buffer overflow via crafted regular expression
A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.

VU#549142: Apache mod_alias vulnerable to buffer overflow via crafted regular expression
A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.

VU#602734: Cisco default install of IBM Director agent fails to authenticate users for remote administration
Cisco IBM Director agent fails to authenticate users for remote administration.

VU#721092: Cisco IBM Director agent does not properly handle arbitrary TCP packets to port 14247/tcp
Cisco IBM Director agent does not properly handle arbitrary TCP packets to port 14247/tcp.

VU#509454: HP-UX shar utility creates files with predictable names in "/tmp" directory
The shar program distributed with some versions of the HP-UX operating system creates files insecurely. This vulnerability could allow local users to gain escalated privilege on the system.

VU#820798: KDE Personal Information Management suite "kdepim" contains a buffer overflow vulnerability in VCF information reader
KDE Personal Information Management suite "kdepim" contains a buffer overflow vulnerability. Exploitation of this vulnerability could lead to the arbitrary execution of commands.

VU#530660: Microsoft Exchange Server 2003 fails to assign user credentials to proper mailbox A flaw in the authentication mechanism that Microsoft Exchange Server 2003 uses for Outlook Web Access users in some configurations could expose another user's mailbox.

VU#927630: NetScreen-Security Manager fails to encrypt communications with managed devices
A vulnerability in the NetScreen-Security Manager software could expose sensitive information in cleartext over the network.

VU#702526: Sun Solaris allows unprivileged local user to load arbitrary kernel modules
Sun Solaris allows an unprivileged local user to load arbitrary kernel modules.

Back to top



Publications by Vendors

Apache Software Foundation

The Apache Software Foundation released information regarding a vulnerability in mod_python. For more information, see

Apple

Apple released security updates to MacOS X and MacOS X Server. For more information, see

Cisco

Cisco Systems released updates for vulnerabilities related to certain problems in Cisco 6000/6500/7600 series systems and incorrectly formed layer 2 frames, vulnerabilities in Microsoft Windows which affect certain Cisco products, and certain Cisco voice products installed on the IBM platform. For more information, see

Debian

Debian released updates to crawl, perl, trr19, and gnupg. For more information, see

FreeBSD

FreeBSD released information regarding vulnerabilities in mksnap_ffs. For more information, see

Gentoo

Gentoo released updates related to GAIM, mod_python, and Honeyd. For more information, see

Hewlett Packard

Hewlett Packard released a security update describing a problem in Bind 8 for OpenVMS. Hewlett Packard has also revised previous bulletins describing problems in BIND 8 for OpenVMS, OpenSSH, a system service in OpenVMS Alpha, OpenSSL and TLS on Tru64 UNIX, and the way various programs handle certain types of network traffic. For more information, see

Macromedia

Macromedia released two updates related to Coldfusion MX. For more information, see

Mandrake

Mandrake released updates to gaim, php-ini, tcpdump, mc, jabber, slocate, mrproject, dhcp, and qt3. For more information, see

Microsoft

Microsoft released two security updates to Windows, and a security update to Microsoft Exchange and IAServer.

Novell

Novell issued updates to HTTPSTK.NLM , iChain 2.2, and eDirectory prior to 8.7.3. For more information, see

Red Hat

Red Hat released updates related to NetPBM, mc, an updated kernel that address a number of issues, util-linux, Gaim, and slocate. Note that the origianl bulletin regarding mc was superceded. Additionally, Red Hat released an update to Fedora Core regarding slocate. For more information, see

SGI

SGI released updates related to do_mremap(), kmod, frm (part of elm), CVS, tcpdump, Ethereal, html2ps, Safe.pm, gzexe and gznew, libdesktopicon.so, and gr_osview. For more information, see

Slackware

Slackware has released information regarding GAIM. for more information, see

Sun Microsystems

Sun Microsystems released security updates describing problems in Sun ONE/iPlanet Webserver, in.named (BIND), the tcsetattr(3C) library function, the pfexec command, Solaris IKE, SunForum, OpenSSL and TLS on SunPlex systems, Safe.pm and CGI.pm perl modules, and Loadable Kernel Modules. Additionally, Sun withdrew two patches previously released for the Basic Security Module. For more information, see

SuSE Linux

SUSE Linux has released inforamtion regarding gaim. for more information, see

Trustix

Trustix released an update regarding slocate. For more information, please see

Turbolinux

Turbolinux released updates regarding tcpdump and lftp. For more information see

Back to top



Publications by Third Parties

AusCERT

AusCERT released a varety of bulletins and alerts. For more information, see

F-Secure

F-Secure released information about Lovsan.H, Mydoom, Mydoom.B, Lasku, Needy.C, Mimail.S, Swen, Dumaru.AA, Dumaru.Z, Mimail.Q, UrlSpoof.E, Dumaru.Y, and Bagle.

Of these, the variants of Mydoom and Dumaru, Swen, and Bagle received high alert levels under the "F-Secure Radar."

ISS

ISS released an alert regarding MyDoom, as well as several summary documents. For more information, see

Network Associates

Network Associates has released information on MS Vulnerabilities, Proxy-Agent, W32/Anig.worm, W32/Mimail.s@MM, W32/Mydoom.b@MM, Ntpass application, W32/Mydoom@MM, W32/Mimail.q@MM, VBS/Braco@MM, and W32/Dumaru.y@MM. For more information, see

SANS

SANS has released two version of the Consensus Security Alert. For more information, please see

Sophos

Sophos released information about W32/Agobot-CS, W32/Spybot-AF, WM97/Ortant-A, W32/Agobot-CO, Troj/Chapter-A, Troj/Control-E, Troj/Daemoni-B, Troj/Daemoni-C, W32/Agobot-P, Troj/Volver-A, W32/Agobot-CK, W32/Agobot-AD, W32/Agobot-CL, W32/Agobot-CN, W32/SdBot-W, Troj/SdBot-AP, Troj/Flood-DZ, Troj/ByteVeri-E, Troj/NoCheat-B, W32/Carpeta-C, W32/RpcSdbot-B, W32/MyDoom-B, W32/Eyeveg-B, Troj/Femad-B, W32/Agobot-CM, Troj/Winpup-C, Troj/IRCBot-U, Troj/Hidemirc-A, Troj/Ircfloo-A, W32/Mimail-S, VBS/Inor-C, W32/Dumaru-Z, W32/Argdoor-A, W32/Spybot-CJ, W32/Apsiv-A, Troj/Digits-B, Troj/AdClick-Y, Troj/Stawin-A, W32/MyDoom-A, W32/Mimail-Q, W32/Dumaru-K, Troj/Small-AW, Troj/Mahru-A, W32/Dumaru-Y, W32/Flopcopy-A, W32/Randon-AC, and W32/Randex-Z.

Symantec

Symantec released information on W32.Hostidel.Trojan.C, W32.HLLW.Chemsvy, W32.Dumaru.AD@mm, W32.Galil.F@mm, VBS.Shania, Keylogger.Stawin, W32.Randex.FC, W32.HLLW.Anig, PWSteal.Olbaid, W32.Mimail.S@mm, Backdoor.Aphexdoor, W32.IRCBot.C, W32.Mydoom.B@mm, Trojan.Bookmarker.E, W32.HLLW.Pokibat, W32.Mydoom.A@mm, W32.Mimail.Q@mm, W32.Dumaru.Z@mm, W32.Dumaru.Y@mm, Trojan.Bookmarker.D, W32.HLLW.Sanker, and Backdoor.OptixPro.13b.

Of these, W32.Dumaru.AD@mm, W32.Galil.F@mm, W32.Mydoom.B@mm, W32.Mydoom.A@mm, W32.Mimail.Q@mm, W32.Dumaru.Z@mm, and W32.Dumaru.Y@mm are rated as "High" distribution, which is an indication of how quickly a threat is able to spread.

Trend Micro

Trend Micro released information on WORM_AGOBOT.RW, WORM_MSBLAST.H, WORM_DUMARU.AB, WORM_RANDEX.FC, WORM_SDBOT.GO, WORM_SDBOT.K, WORM_AGOBOT.O, WORM_ANIG.A, WORM_MIMAIL.S, WORM_MYDOOM.B, WORM_MYDOOM.A, WORM_AGOBOT.U, WORM_MIMAIL.Q, WORM_DUMARU.Z, WORM_AGOBOT.DG, WORM_AGOBOT.FQ, WORM_DUMARU.Y, WORM_AGOBOT.W, HTML_VISAFRAUD.A, and WORM_AGOBOT.FX.

Of these, WORM_AGOBOT.FX, WORM_DUMARU.Y, WORM_AGOBOT.W, WORM_AGOBOT.FQ, WORM_DUMARU.Z, WORM_MIMAIL.Q, WORM_MYDOOM.B, WORM_MYDOOM.A, WORM_AGOBOT.U, WORM_MIMAIL.S, WORM_ANIG.A, WORM_AGOBOT.O, WORM_SDBOT.K, WORM_SDBOT.GO, WORM_RANDEX.FC, WORM_DUMARU.AB , WORM_MSBLAST.H, and WORM_AGOBOT.RW are rated as having "high" distribution potential. For more information, see

UNIRAS

UNIRAS issued a variety of bulletins and alerts. for more information, see


Copyright 2004 Carnegie Mellon University. Terms of use
Last updated

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top