On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
New Linux worm Adore. A new variant of the Ramen and Lion worms emerged this week, with the first effects of the worm showing up in the form of reports of larger and larger numbers of lpd scans showing up on the Incidents list. Initially, it was called the "Red" worm, but the final name chosen (by whatever method these names get chosen) appeared to be "Adore".
The oldest of these vulnerabilities dates back to June of 2000. Fixes for all of them have been widely distributed and can be found through the links above. If your systems are up-to-date, then this worm is not a problem. If they are not up-to-date, the chances they will be found and cracked are growing larger and larger.
Alfred Huger posted this description of the worm on the Incidents list, which includes some statistics from the ARIS Analyzer service, illustrating the worm's progress across different IP networks and various nations. It also serves as a reminder that those of us whose systems are not vulnerable to the worm are still affected, as our systems are pummeled with scans and the network is pummeled with worm-related traffic.
The SANS Institute also posted an advisory for Adore, which includes tools for detection and removal of the worm.
Engarde Secure Linux.A new entrant into the "Secured Linux Distributions" category this week is Engarde Secure Linux. The announcement for Engarde indicates that it includes the Linux Intrusion Detection (LIDS) system, Tripwire, Openwall, snort and more.
Linux Kernel: No Back Door. An April Fool's joke, which described a non-existent back door in the Linux kernel, was published in the latest release of "Linux-Magazin", a monthly German magazine. As a result, SuSE got a flood of user-support questions about the "problem". They issued this statement as a result. "None of the claims are correct, which makes a kernel update unnecessary for this particular problem".
The timing of this joke happened to be particularly bad, since there are perfectly valid reports of security problems in the 2.2.18 kernel. None of them are remotely exploitable and none of them are "back-doors".
Red Hat modifies directory structure on ftp sites. Red Hat's ftp sites, including ftp.redhat.com and updates.redhat.com, now have modified directory structures. The changes are fairly clear and understandable. The old structure has been modified in order to allow for support of the various language-specific versions of Red Hat. (Thanks to Christof Damian).
However, if you've got bookmarks, or, more importantly, update programs with encoded URLs, you'll need to change them to accomodate the new structure.
The security implications of open source software (IBM developerWorks). This IBM developerWorks article looks at free software and security. It includes discussions with Eric Raymond, Michael Warfield, and Theo de Raadt. "Another perk of open source is that the software actually evolves and gets more secure over time. Subject to constant peer review, the number of new vulnerabilities discovered in the software will decrease over time when compared to similar closed source software. But as more crackers seek and find the better-hidden flaws in opaque programs, closed source software gets less secure as time passes."
Whodunnit? (Economist). The Economist looks at computer forensics. "The most ambitious public example of this is the Honeynet Project, a network of honeypot computers that was set up a couple of years ago by Lance Spitzer of Sun Microsystems. Last week, the Honeynet Project reached the conclusion of its "Forensic Challenge", a sort of digital version of the game "Cluedo" ("Clue", to Americans), which attempts to discover that, for example, "Miss Hackwell" did it to the Linux with the Ramen worm. The challenge showed that analysing traces of an attack by malicious hackers is not as easy as it sounds. "
Minor format change. Please note the links provided in the left column of this week's edition. They provide a quick way to jump to the discussion of a new vulnerability, an update to an old vulnerability or other sections of this page. We know the Security Summary gets long sometimes (this week is unusually light), so please let us know if you find the new links of help or not. If you like the links, they were suggested by Stuart Moore. If you don't like them, they are all our fault.
BEA Weblogic and Apache Group's Tomcat JSP vulnerability.Both BEA Weblogic and Apache Group's Tomcat 4.0 have been reported vulnerable to a URL JSP request source-code disclosure vulnerability. Essentially, a URL with specific characters appended to it can be used to return the source code of the JSP file. Tomcat 4.0 beta 3 is reported to fix the problem. No fix from BEA Weblogic is currently listed.
BEA Weblogic directory transversal vulnerability.BEA Systems Weblogic Server 6.0 has been reported to contain a directory transversal vulnerability which can be allowed to view files on the server that are outside the webserver's directory. BEA has released a fix for the problem.
Commercial products.The following commercial products were reported to contain vulnerabilities:
ptrace/execve/procfs race condition in the Linux kernel 2.2.18.Exploits were released last week for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. As a result, an upgrade to Linux 2.2.19 is recommended.
This week, Alan Cox put up the Linux 2.2.19 release notes, finally giving the specifics on all the security-related fixes in 2.2.19 (all thirteen of them!) and giving credit to the Openwall project and Chris Evans, for the majority of the third-party testing and auditing work that turned up these bugs. Fixes for the same bugs have also been ported forward into the 2.4.X kernel series.
This week's updates:
OpenSSH 2.5.2p2 released.OpenSSH 2.5.2p2 was announced last week. It contains a number of fixes (including improvements in the defenses against the passive analysis attacks discussed in the March 22nd LWN security page) and quite a few new features as well.
This week's updates:
VIM statusline Text-Embedded Command Execution Vulnerability.A security problem was reported in VIM last week where VIM codes could be maliciously embedded in files and then executed in vim-enhanced or vim-X11.
This week's updates:
Kerberos libkrb4 race condition.A race condition in libkrb4 that can be exploited to overwrite the contents of any file on the system was reported last week by Red Hat.
This week's updates:
Denial-of-service vulnerability in FTP server implementations.Check the March 22nd LWN Security Summary for the original report. Affected FTP daemons include ProFTPd, NetBSD FTP, PureFTPd (to some variants of this attack), BeroFTPD, and FreeBSD FTP.
This week's updates:
FreeS/WAN 1.9 kernel support.Last week, FreeS/WAN 1.9 was released, primarily providing compatibility with the new 2.4.x kernels (2.4.2 is specifically mentioned), though additional bugfixes and features are also included. Note that 1.9 was released just before Linux kernel 2.2.19 was and, you guessed it, another minor update is needed to work with that kernel.
Check the FreeS/WAN home page for more information on this project, which brings IPSEC and IKE support to Linux.
Rackspace announces an 'antidote' to 'knark'.Rackspace has issued a press release about a program it has released to deal with the root toolkit "Knark". For more information on Knark, check this analysis of Knark by Toby Miller.
The interesting point of Knark is its use of a kernel module to hide evidence of the toolkit. Alamo is another kernel module, "shamelessly ripped off" of Knark that simply tries to undo what Knark does, exposing the rootkit. It is based on the 2.2.14 kernel, but should work for most 2.2.X kernels.
WARNING! APRIL FOOL'S JOKE!.
Well, if you're going to mention an April Fool's joke on any
day except April 1st (and even then!), you have to be careful
that people don't take it seriously. That warning given,
check out the announcement for a new BSD variant,
ThomasBSD. "ThomasBSD is based on
OpenBSD, thus it is OpenBSD PLUS MORE,
mathematically making it (NetBSD PLUS MORE) PLUS MORE.
The epoch of ThomasBSD will be moved back from January 1st, 1970 to January
1st, 1960. Whenever a security problem is found and fixed in OpenBSD, this
little shift will enable me to also correct the issue in ThomasBSD and then
send mail to security-related mailing lists stating that 'this was fixed in
ThomasBSD about ten years ago'
The epoch of ThomasBSD will be moved back from January 1st, 1970 to January 1st, 1960. Whenever a security problem is found and fixed in OpenBSD, this little shift will enable me to also correct the issue in ThomasBSD and then send mail to security-related mailing lists stating that 'this was fixed in ThomasBSD about ten years ago'".
Internet Security Conference 2001. A reminder went out this week for the upcoming Internet Security Conference 2001, being held the first week of June in Los Angeles, CA, USA. "TISC is an educational forum for security professionals and practitioners".
Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to email@example.com.
Section Editor: Liz Coolbaugh
April 5, 2001
Security alerts archive
Engarde Secure Linux
NSA Security Enhanced
Linux Security Audit Project
Linux Security Module
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security mailing lists Caldera
Linux From Scratch
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily