Re: [Fwd: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Web Servers]

[jason.axley () ATTWS COM (Jason Axley)]

Just to keep y'all updated, and to summarize what's
known so far:

1) The ISS advisory sucks (no details, didn't mention
that it was NT-only or that Solaris wasn't vulnerable,
they supposedly worked with Netscape on this, but don't
have more specific info about which platforms/versions
are vulnerable, and it does not mention that the fix is
included in the SSL handshake fix (leaving folks to
wonder "huh?" when told to apply a fix that doesn't
seem to have any relation to the problem))

2) Netscape surreptitiously fixed a serious buffer
overflow bug and included it in the SSL handshake patch
and didn't notify anyone of the bug's existence (to
this day there isn't any verbage at
http://www.iplanet.com/downloads/patches/detail_12_86.ht
ml that mentions this GET overflow).  Bad Netscape...no
cookie!

3) The information in the database at
www.securityfocus.com about this vulnerability is
either wrong or they know something we don't because it
lists specific operating systems and Netscape product
versions not mentioned on BugTraq or in the ISS
advisory.

4) The advisory mentions NES 3.6sp2 as being
vulnerable.  I have since used the ISS scanner and the
NetscapeGetOverflowFlexCheck to verify that NES 3.5.1
on NT is also vulnerable.  Solaris is not vulnerable
(at least to this specific variant ;^>).

5) Myself and at least another individual who contacted
me are interested in finding out what the FlexCheck is
doing so that we can post details on what the problem
is and perhaps why UNIX versions don't appear to be
vulnerable.  If I find anything else out, I'll "open-
source" the details so that those without ISS scanner
can confirm whether their systems are vulnerable or not.

5) I'm not the only one annoyed by the terse,
disconnected advisories from ISS X-Force of late.

-Jason

Quoting X-Force <xforce () ISS NET>:

> Comments within.
>
> Erik Fichtner wrote:
>
> > Is this vulnerability in other versions of
Enterprise server?
>   We tested the vulnerability against the current
releases of Enterprise
>   and Fasttrack.  Earlier versions may be vulnerable,
but they were not
>   tested against.
>
> > Does it exist on all platforms?
>
>   No, our advisory effects only NT, Solaris was
tested against and found
>   not vulnerable.  AIX and other platforms were not
tested against and
>   these platforms potentially could be vulnerable.
>
> > Is this an issue only with the SSL server (SSL
Handshake? huh? what does
> > THAT have to do with a GET request?) or does this
affect the entire
> > server?
>
>   Netscape decided to combine the GET overflow patch
in with an SSL
>   problem.  This vulnerability affects the entire
server.  Netscapes
>   handles their patch bundling, we have no involvment
with that.
> > Are patches available for previous versions of
Enterprise server?
>   Not that we know of, If previous versions are found
to be vulnerable
>   Netscape should be contacted and will issue a patch
at that time.
> ----
> X-Force
> Internet Security Systems, Inc.
> (678) 443-6000 / http://xforce.iss.net/
> Adaptive Network Security for the Enterprise

AT&T Wireless Services
IT Security
UNIX Security Operations Specialist