Manualshelf

Specifications

ManualsBrandsCayman Systems ManualsComputer equipment3220-H
31323334353637383940
SAFER – Vol. 3, Issue 6 36 © 2000 The Relay Group
CERT Advisory CA-2000-06: Multiple Buffer Overflows in Kerberos Authenticated Services
Released May 17, 2000
Affects Systems running Kerberos 4/5
Reference http://www.cert.org/
Problem
- Serious buffer overrun vulnerabilities exist in many implementations of Kerberos 4, including
implementations included for backwards compatibility in Kerberos 5 implementations. Other less
serious buffer overrun vulnerabilities have also been discovered. ALL KNOWN KERBEROS 4
IMPLEMENTATIONS derived from MIT sources are believed to be vulnerable.
SAFER
- Various patches and workaround are available.
HP Security Advisory #00114: Sec. Vulnerability in BIND
Released May 17, 2000
Affects HP9000 Series 700/800 running HP-UX releases 10.XX & 11.XX
Reference http://us-support.external.hp.com/
Problem
- The CERT advisory (CA-99-14) detailed several BIND vulnerabilities. The Berkeley Internet Name
Domain (BIND) is an implementation of the Domain Name System (DNS) protocols.
- This vulnerability may allow remote users to gain root access or to disrupt normal operation on the
name server.
SAFER
- Install patches that upgrade BIND to version 4.9.7, or upgrade to version 8.1.2.
Cisco Security Advisory: Cisco IOS HTTP Server Vulnerability
Released May 14, 2000
Affects Different versions of Cisco Routers, switches etc
Reference http://www.cisco.com/
Problem
- A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and
reload if the IOS HTTP service is enabled and browsing to "http://<router-ip>/%%" is attempted.
This defect can be exploited to produce a denial of service (DoS) attack. This defect has been
discussed on public mailing lists and should be considered public information.
- The vulnerability, identified as Cisco bug ID CSCdr36952, affects virtually all mainstream Cisco
routers and switches running Cisco IOS software releases 11.1 through 12.1, inclusive.
SAFER
- Cisco has released patches for vulnerability.
CERT Advisory CA-2000-05: Netscape Navigator Improperly Validates SSL Sessions
Released May 12, 2000
Affects Netscape Navigator 4.72, 4.61, 4.07, probably other versions too
Reference http://www.cert.org/
Problem
- Netscape Navigator correctly checks the certificate conditions (*) at the beginning of a SSL
session it establishes with a certain web server. The flaw is, while this SSL session is still alive, all
HTTPS connections to *THAT SERVER'S IP ADDRESS* are assumed to be a part of this session
(and therefore certificate conditions are not checked again).
- Instead of comparing hostnames to those of currently open sessions, Navigator compares IP
addresses. Since more than one hostname can have the same IP address, there is a great
potential for security breach. This behavior is not in compliance with SSL specification.
SAFER
- Netscape has (even prior to our notification - see the Acknowledgments section) provided a
Navigator Add-on called Personal Security Manager (PSM).