Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
How Can You Defend Against a Superworm? (Linux Journal). Don Marti speaks with Brandon Wiley, coordinator of the Tristero project, about the threat of "superworms" and what might be done to defend against it. "Linux administrators see log files full of failed attack attempts when some other platform is subject to a worm attack. Dumb worms might be a nuisance and a waste of bandwidth. But what if worms were a little smarter about which hosts to attack, when to attack and with what exploit? What if a worm developer could update all the running worms, on the fly, with a new exploit?"
Lock in the Nessus monster (ARNnet). Con Zymaris writes about selling security scanning using nessus as a service. " Here's the crux of the analysis, however: no matter how good these [proprietary] tools are, all pale by comparison to Nessus. In all the security expert reports I have read in the past 18 months, Nessus is considered the best-of-breed security vulnerability scanning product, by a long margin. That it is open source, has long-term viability and is totally free of any licensing or use costs are mere bonuses, and great for reducing our cost of establishing this business service."
Nessus does not call home. Despite some rumors to the contrary at the recent CanSecWest conference, Renaud Deraison reassures us that "Nessus does not call home. It never does, never did and never will. However, the checks [it performs] have a side effect that may have the naughty side effect to sending some packets to nessus.org, which can make people think I have the ability to monitor their scans."
Sending a wake-up call to the W3C (News.com). Rich DeMillo Hewlett-Packard's vice president of technology strategy tells us why "Linux will be the first operating system" HP will port to their Secure Platform Architecture (SPA). " We think it makes great sense to do this in the town square by calling on the trust-enhancing ability of the open-source community with its rigorous peer review, open publishing and testing methodologies."
DHCP remotely exploitable format string vulnerability. The May 8, 2000 release of ISC DHCP 3.0p1 fixes this serious vulnerability in ISC DHCPD 3.0 to 3.0.1rc8 inclusive. So far, the only distributor update we have seen for this vulnerability is this one from Conectiva.
We encourage dhcp users to upgrade, disable dhcp or, at a minimum, consider using ingress filtering as described in the CERT advisory.
Netfilter NAT/ICMP information leak. "Netfilter ("iptables") can leak information about how port forwarding is done in unfiltered ICMP packets. The older "ipchains" code is not affected." The bug exists in the iptables package in all versions of the 2.4.4 kernel up to "(at least) 2.4.19-pre6".
A sufficient workaround is to filter out untracked local icmp packets using the following command:
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
Updates which fix the problem were released this week by:
Red Hat advisory for sharutils. Updated packages for sharutils are available which fix potential privilege escalation using the uudecode utility.
Red Hat Security Advisory. Updated perl-Digest-MD5 packages are available which work around a bug in the utf8 interaction between perl-Digest-MD5 and Perl.
Gaim arbitary email reading vulnerability. Gaim 0.57 has a bug which allows a local attacker to gain full access to other gaim users hotmail accounts. A fix is available. The problem has been fixed in the nightly CVS, and will be fixed in version 0.58. "Gaim is an all-in-one IM client that resembles AIM. Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber, Napster, Zephyr, and Gadu-Gadu, all at once. Gaim is NOT endorsed by or affiliated with AOL, Yahoo, MSN or Napster."
Quake II 3.2x server cvar leak. A problem in the Quake II server for Linux allows an attacker to reveal the
servers rcon password. Details of the affected source code and
patched binaries are available.
web scripts.The following web scripts were reported to contain vulnerabilities:
GNU fileutils race condition. A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
This week's updates:
Multiple vulnerabilities in icecast. Icecast is a streaming audio broadcasting system. Version 1.3.12 was released on April 10th. "This release is a security update and all users are highly encouraged to upgrade immediately or apply the relevant patches to their own versions. Remember, never run icecast as a privileged user, especially not as root." (First LWN report: May 2).
This week's updates:
Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow vulnerability in all prior versions. However, newer versions, including 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions that was reported by Nick Cleaton. (First LWN report: May 9).
Both problems appear to have been reported and fixed in FreeBSD some months ago. The CIAC report on the vulnerability in versions prior to 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21, 2002.
This week's updates:
Fenris 0.02 has been released by Michal Zalewski. "Fenris is a multipurpose tracer, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics." Michal has also written these hints for those using Fenris for The Reverse Challenge contest from the folks at Honeynet. His "quick write-up is not intended to spoil the fun, so it is safe to have a look."
Upcoming Security Events.
The 2002 Edinburgh Financial Cryptography Engineering has issued a call for papers. On June 28th and 29th 2002 Edinburgh, Scotland "is again host to the international engineering conference on Financial Cryptography. Individuals and companies active in the field are invited to present and especially to demonstrate Running Code that pushes forward the "state of the art"."
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Dennis Tenney
May 16, 2002