[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and Editorials

XFree86 security problems. XFree86 security problems have become an ongoing issue. Chris Evans pointed out on BugTraq this week an increasing number of XFree86 security problems for which vendors have not released security updates, including:

According to Security Focus' BugTraq database, no official response from any vendor, or the XFree86 team, has been seen for any of these problems.

Given Linux' heavy dependence on XFree86, the current situation is definitely not good. We cannot tell, from the lack of response, if the problems above have been investigated and found to be invalid or valid, whether fixes haven't been released because no one took the time or because the issues are too difficult, intrinsically, to fix properly. Fixes for the problems may even have been put into the XFree86 development tree without announcement or back-port to the stable versions in general use; that has happened in the past.

Chris Evans' response to this has been the release of an exploit for at least one of the problems he personally reported, and the encouragement for others to do the same. As a result, the need for fixes for these problems has just increased an order of magnitude. Most of us can't afford to stop using X, therefore security updates for XFree86 are a real necessity. In the meantime, while we continue to wait, a check on your firewall to make sure you are blocking X packets is one good idea.

The case for exploits. Chris Evans' choice to develop and release exploits for a security problem for which no fixes have been developed after several months is a good example of why exploits became so necessary in the computer security world. Particularly with commercial software, where the customer has no option other than to wait for a vendor to release a fix, exploits and negative publicity are about the only tools available. Negative publicity is easier to generate for a problem with a proven exploit, so the two go hand in hand.

Last week, discussion on BugTraq mentioned and highlighted a couple of additional reasons for the use of exploits. One security problem seen last week had been reported as a bug many months before, but the person who reported it, and others that read the bug report, couldn't quite envision how the bug could be used to actually broach security. As a result, the bug was left unfixed -- until last week, where someone proposed a theoretical manner in which it could be exploited, and then proved their theory with an exploit. Needless to say, the bug was quickly fixed.

That particular example could quickly take us to a discussion of why every bug is important to fix, but that's not our topic this week. Let's concentrate, instead, on other ways that exploits help us. For systems administrators who are actively following and applying patches for security problems, exploits allow them to first identify whether or not their system is vulnerable (and adjust the priority of the security update) and also to test an applied "security fix" to see if it has really removed the problem.

Much publicity and attention is going to the negative aspects of such exploits, the way in which they have been used by "script kiddies" to proliferate attacks on systems across the Internet. However, it is very difficult to see how computer security would have ever improved to even today's wobbly standard without them. Blaming the exploits obscures the real culprit: the software/hardware is vulnerable and needs to be fixed.

The Cybercrime Treaty. It is important to understand the need for exploits, and other tools that are used by systems administrators and script kiddies alike. A lack of that understanding is frighteningly demonstrated by the draft Cybercrime Treaty from the Council of Europe.

This is not a new draft; it is dated April 25th, 2000. It was discussed on Slashdot in September. However, this week, MS NBC covered the treaty, stating that it would create a new class of persecuted artists: computer hackers. This article is, obviously, fairly inflammatory and does not bother to reference the text of the original treaty, nor use accurate quotes from it. However, we don't disagree with the heart of the article, that this potential Treaty could have serious negative impacts on software developers.

What, exactly, in the treaty generates such concern? Much of it stems from the necessarily vague language of a treaty that involves forty-one European nations, as well as the US, Canada, Japan, and South Africa. In particular, the treaty outlaws "Illegal Devices", and then proceeds to define them as follows:

Article 6 - Illegal Devices

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right:

a.the production, sale, procurement for use, import, distribution or otherwise making available of:

1.a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5;

2.a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing the offences established in Articles 2 - 5;

a.the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5. A party may require by law that a number of such items be possessed before criminal liability attaches.

Part of the damage here is the continuance of equating a software program with a device, instead of equating software code with free speech, an analogy that most of us in the Free Software world prefer.

Another reason for concern is the fact that this treaty is so far-reaching, yet the process of developing it side-steps the internal process of the U.S. and other countries for guaranteeing input and review from citizens. For more specific details on such concerns, you may want to refer to this additional MS NBC article in which a coalition of 28 cyber-rights organizations slam the treaty. ""Police agencies and powerful private interests acting outside of the democratic means of accountability have sought to use a closed process to establish rules that will have the effect of binding legislation," the GILC stated in its letter."

People working with computer security are particularly affected, since much, if not all, of the software used for computer security purposes can be adapted for illegal purposes. It may even, depending on the individual's point of view, have been designed for computer intrusion, yet be an essential tool for security experts and systems administrators. All exploit code would fall into this category. As a result, this statement of concerns has been signed by a number of "leading security practitioners, educators, vendors, and users of information security". They state bluntly, "We are concerned that some portions of the proposed treaty may inadvertently result in criminalizing techniques and software commonly used to make computer systems resistant to attack."

There is no indication that the draft has been changed in response to these expressed concerns.

Happy birthday to OpenBSD. Thanks to Alexandre Dulaunoy, who pointed out that October 18 was the fifth anniversary of the beginning of the OpenBSD project. Congratulations, and we wish you many more!

U.S. crypto winners -- Belgian heroes (Wall Street Journal Interactive. Jokingly, they were presented with a pseudo-gold medal, draped around the neck of an inflatable Tux. This Wall Street Journal Interactive article takes a look at Vincent Rijmen and Joan Daemen, creators of the Rijndael encryption formula, selected by NIST to become the new Advanced Encryption Standard.

"Rijndael is the fruit of symbiotic intellectual relationship. Though he has the more assertive personality and even shows a cocky side at times, Daemen says he considers himself less gifted in math than the shy, understated Rijmen -- something Rijmen doesn't seem to dispute. But both say they couldn't be successful without being able to test ideas and theories through each other. And Rijmen may be the better mathematician, but Daemen's creative ideas are sometimes what put them on track toward a breakthrough, they say."

Security Reports

Oracle vulnerabilities. The Oracle LDAP daemon, oidldapd, contains a buffer overflow that can be exploited via the use of an environmental variable, whose value is not properly checked before use. For details, check the original BugTraq report. Oracle 8.1.6 on Linux is affected, as is Oracle Internet Directory 2.0.6. Oracle has responded and promises a fix next week.

MySQL authentication weakness. The CORE SDI team reported an authentication weakness in MySQL this week. MySQL uses a challenge/response authentication scheme to avoid passing passwords across the network in plaintext. The CORE SDI team demonstrated that this authentication scheme can be detected and, after the observation of such challenge/response interactions, fake passwords can be generated to interact with the server and gain access to client data and privileges.

This is a known security weakness of MySQL, documented in the MySQL manual. To avoid it, ssh-tunneling should be used to support MySQL client/server interactions outside a local network. The manual section makes other configuration suggestions to minimize the problem.

Slackware PPP vulnerability. A Slackware-specific configuration error in the ppp-off script could allow an unprivileged user to overwrite any file on the system. A new Slackware PPP package has been issued to correct the problem.

ntop '-i' buffer overflow. The "-i" option of ntop can be exploited to pass in a command which is then executed by ntop. If ntop is installed setuid root, this can lead to a root break-in. Check this BugTraq report for more details.

Exploits for ntop have also been published, so you may want to disable ntop until a security update is available. Alternatively, Christophe Bailleux reported that ntop-1.1-5.i386.rpm is not installed setuid and is not vulnerable.

Red Hat lpr print filter vulnerability. The lpr package shipped with Red Hat 6.2 (and possibly earlier versions) contains a print filter with a configuration error that can be exploited to run arbitrary commands under the lp group. This, in turn, can be exploited to gain root privileges. Red Hat 7.0 is reported not to be vulnerable. For more information, check out BugTraq ID 1834. This problem was reported by Zenith Parsec on October 20th.

Commercial products. A security fix for Half-Life, a popular first-person shooter game, was included in the 1.1.0.4 release of Half-Life, now available for download.

Updates

Apache mod_rewrite vulnerabilty. Files outside the document root can be accessed, if the mod_rewrite module for Apache is in use. For more details, check the October 5th LWN Security Summary.

This week's updates:

Previous updates:

GnuPG false signature verification. GnuPG fails to correctly validate multiple signatures in a file. Check last week's Security Summary for details. GnuPG 1.0.4 has been released and contains the fix for this problem. Anyone using GnuPG will want to upgrade their package as soon as possible.

This week's updates:

Format string vulnerabilities in PHP. Multiple format string vulnerabilities in PHP 3 and PHP 4, including one involving the use of syslog, can be exploited remotely to execute arbitrary code under the web server's identity. PHP 3.0.17 and 4.0.3 contain the fixes for these problems. For more information, check last week's LWN Security Summary.

This week's updates:

Previous updates:

NIS/ypbind format string vulnerability. A format string vulnerability in NIS/ypbind can be remotely exploited to run arbitrary code as root. An immediate upgrade is recommended. For more information, check last week's LWN Security Summary.

This week's updates:

Previous updates:

xlockmore. Check the August 24th Security Summary for details. An update to xlockmore 4.17.1 is recommended.

This week's updates:

Older updates:

curl buffer overflow. A buffer overflow in curl, a command-line tool for getting data from a URL, was reported last week.

This week's updates:

Previous updates:

Buffer overflows in ping. Multiple buffer overflows in Alexey Kuznetsov's ping were discussed last week.

This week's updates:

Resources

The following security-related software has been released this week:
  • Bastille Linux 1.1.1, a hardening script for Red Hat-based Linux systems. It includes some initial work on support for Red Hat 7.0, meaning it probably is not yet ready for use on Red Hat 7.0 systems, but they are "working on it".

Events

Upcoming security events.
Date Event Location
October 29-November 2, 2000. SD 2000 (Software Development Conference) Washington D.C., USA
November 1-3, 2000. Compsec 2000 Westminster, London, U.K.
November 1-4, 2000. 7th ACM Conference on Computer and Communication Security Athens, Greece.
November 3-5, 2000. PhreakNIC v4.0 Nashville, TN, USA.
November 8, 2000. Security Forum 2000 Vancouver, British Columbia, Canada.
November 13-15, 2000. CSI 27th Annual Computer Security Conference and Exhibition Chicago, IL, USA.
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
December 3-7, 2000. Asiacrypt 2000 Kyoto, Japan.
December 3-8, 2000. LISA 2000 New Orleans, LA, USA.
December 10-13, 2000. INDOCRYPT 2000 Calcutta, India.
December 11-15, 2000. 16th Annual Computer Security Applications Conference New Orleans, LA, USA.
December 20-21, 2000. The Third International Workshop on Information Security University of Wollongong, NSW, Australia.
December 27-29, 2000. Chaos Communication Congress Berlin, Germany.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


October 26, 2000

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds