On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and EditorialsAirSnort hits the net. AirSnort is a new packet sniffing tool, which has been released under the GPL. A particular feature of AirSnort, however, is that (1) it works with wireless networks, and (2) it is capable of recovering the encryption keys used with those networks.
It has been known for some time that the WEP protocol used with 802.11b networking is insecure, but nobody has, until now, produced a widely-available exploitation tool. And AirSnort is certainly such a tool; given a sufficient pile of sniffed data (100MB or more), it can come up with the master password in "under a second." Once an attacker has that password, he or she has free use of the wireless network.
The usual debate about whether it was appropriate to release this tool has arisen. The truth of the matter, however, is that the security problems exist and will be exploited; AirSnort did not cause them. But it will, perhaps, draw more attention to these problems, and, with luck, hasten a fix. Meanwhile, anybody running a wireless network should assume that it is open to the world.
Researchers develop SSH cracker (vnunet). vnunet.com is running an article describing a new attack on ssh developed by researchers at the University of California at Berkeley. It's more of a traffic analysis attack than one on the ssh protocol itself - it looks at the inter-packet timings and deduces keystrokes from that. "A password cracker program, dubbed Herbivore, was developed on the back of the research. Herbivore is capable of learning a user's password by monitoring SSH sessions."
More information is available in the white paper written by the researchers (Dawn Xiaodong Song, David Wagner, and Xuqing Tian).
Another look at full disclosure. Those interested in the full disclosure debate (as covered in last week's LWN.net Weekly Edition) may want to have a look at this paper by Jon Lasser. He looks at the evolution of the rpc.statd hole and its exploits, leading up to the Ramen worm, and how full disclosure may have helped those seeking to take advantage of this vulnerability.
Security ReportsDenial of service vulnerability with netfilter MIRROR target. The experimental MIRROR target, available with the 2.4.x netfilter code, may open up sites to denial of service attacks. See this report from Fabian Melzow for details and information on how to work around the problem.
An input validation problem with sendmail. It's been a little while since we had a serious sendmail vulnerability. Wait no longer; Dave Ahmed has reported an input validation problem which may be used by local users to obtain root access. An exploit for the problem has already been posted. The vulnerability is not exploitable remotely. For now, the solution to the problem is to upgrade to sendmail 8.11.6 (or, for beta users, 8.12.0Beta19). No distributors have issued updates as of this writing; keep an eye on the LWN.net Daily Updates Page to see when patched packages from the distributions become available.
SuSE fixes a problem with sdb.
SuSE fixes a problem with sdb.SuSE has posted an advisory for sdb; a Perl cgi script that sdb uses may be vulnerable by using untrustworthy client input (HTTP_REFERER). Exploiting the bug requires access to a local account.
Caldera Security Advisory for ucd-snmp.Caldera International, Inc. has found some problems in ucd-snmp, including "several potentially exploitable buffer overflows, format string bugs, signedness issues and tempfile race conditions." OpenLinux eServer 2.3.1 and OpenLinux eBuilder, using ucd-snmp-4.2.1-6b are vulnerable.
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
Buffer overrun vulnerabilities in fetchmail. (Found by Salvatore Sanfilippo). Two buffer overrun vulnerabilities exist in the much-used fetchmail program. Given a hostile server, arbitrary code can be run on the system running fetchmail. The solution is to upgrade to fetchmail 5.8.17. See the August 16 Security page for the initial report.
Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001).
The stable release of Debian is not vulnerable.
Mandrake-Linux advisory for gdm. MandrakeSoft has issued an advisory for gdm to address a very old (first covered in the May 25, 2000 LWN Security Page) remote exploit through XDMCP. Note the Mandrake-Linux doesn't configure XDMCP use by default, however.
Securing Sendmail with TLS (Linux Journal). The Linux Journal shows how to set up sendmail using transaction layer security channels. "The most obvious use of a cryptographically enabled Sendmail installation is for confidentiality of the electronic mail transaction and the integrity checking provided by the cipher suite. Everything between the two mail servers is encrypted, including the sender and recipient addresses. TLS also allows for authentication of either or both systems in the transaction."
LinuxSecurity.com's weekly newsletter for August 20 is available.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to email@example.com.
Section Editor: Jonathan Corbet
August 23, 2001
Security alerts archive
Engarde Secure Linux
NSA Security Enhanced
Linux Security Audit Project
Linux Security Module
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security mailing lists Caldera
Linux From Scratch
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily