Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsDenial of Service Attacks continue to escalate. Last week, we mentioned a CERT advisory about the increased presence of automated tools to facilitate Denial-of-Service attacks. CERT has issued a new advisory on developments in this area, partially in reaction to this detailed analysis of one such DOS tool, "stacheldraht", by David Dittrich.
In late June and early July of 1999, one or more groups were installing and testing trinoo networks and waging medium to large scale denial of service attacks employing networks of over 2000 compromised systems. These attacks involved, and were aimed at, systems around the globe.Both Solaris and Linux are target platforms for "stacheldract", even though Solaris appears to be the more popular platform for it at the moment. The key to this attack is the ability to find literally thousands of exploitable sites from which to launch Denial-of-Service attacks on the intended victim. As a result, the primary defense against it is to increase security awareness and improve practices on all sites, as well as to increase intrusion detection measures, so that exploited sites can find out they have been impacted and address the problem. A perl script called "gag" is referred to in David's analysis and can be used to detect the presence of stacheldraht on your machine.
The issues are complex, so we won't try to reproduce the work of CERT and others, but instead direct your all to their advisory above for more information.
DNS Insecurity. No, this isn't a yet-another bind vulnerability. This issue is the use of email to allow modifications to your registered domain information. Email-spoofing is easy and now being actively used to modify domain name service information for registered domains. A number of such incidents were reported to the SANS Institute, during their Y2K alert program. SecurityPortal.com's Kurt Seifried has written this editorial on the topic, outlining your option to add password or PGP protection to your DNS records with your registrar, if you are working with Network Solutions.
Security ReportsMajordomo vulnerabilities. SuSE has sent out an announcement that the Majordomo mailing list manager has a number of security vulnerabilities. Unfortunately, Majordomo is not entirely free software, so SuSE is currently unable to distribute a fix. Majordomo installations on other distributions and operating systems will be equally vulnerable. Until a fix is made available, removing execution permissions for "other" (chmod o-x) is recommended. For more information, check out BugTraq IDs 903 and 902.
PHP 3.X vulnerability. An exploitable vulnerability has been reported in PHP 3.X's 'safe_mode'. More information and a workaround can be found in the BugTraq database.
Zope security update released. A security update to Zope has been announced. The vulnerability looks like a nasty one; those running publicly-available Zope-based sites will want to apply it at the earliest opportunity.
vibackup.sh. The vibackup.sh script, reportedly used on OpenBSD, FreeBSD and Debian GNU/Linux, insecurely removes files. This has apparently been replaced in OpenBSD 2.6 and a fix for stable and current versions of FreeBSD has gone in. No word from Debian has been seen as of yet.
Commercial reports. Cisco reported a Kerberos Client Authentication Failure for Cisco products with Kerberos authentication enabled.
Netscape Fasttrack 2.01a is reported to have a vulnerability that makes the uid of the httpd daemon exploitable.
Updatesusermode and pam. Red Hat has issued an update to usermode and pam which fixes a bug in the userhelper program that can allow a local root exploit. Note that the advisory recommends upgrading the package with the "rpm -Uvh" command. "rpm -Fvh" is probably a better alternative, as pointed out by several people on BugTraq. That will guarantee that the package will not get installed if you have never previously installed it.
ResourcesSecure Programming for Linux HOWTO. Developers will want to check out David A. Wheeler's just-released document titled "Secure Programming for Linux HOWTO". Issued under the GPL, this 28 page document "provides a set of design and implementation guidelines for writing secure programs for Linux systems. Such programs include application programs used as viewers of remote data, CGI scripts, network servers, and setuid/setgid programs."
SHADOW Intrusion Detection System y2k updates. Versions of the SHADOW IDS prior to 1.6 had difficulties with the January 1, 2000 date change. For those people that do not want to upgrade, a workaround has been posted, but an upgrade is recommended.
Saint 1.4.1. This latest minor update to SAINT has been updated to reflect recently reported vulnerabilities. "New checks have been added for an ODBC RDS bug, for an IIS 4.0 buffer overflow, for Calendar Manager service, for sadmind, for Trinoo and for DRAT backdoor. Updates have been made to the checks for DNS, ftpd, ssh, and QPOP...".
Section Editor: Liz Coolbaugh
January 6, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project