Robin Miller considers
the virtues of mature software.
Here's an interesting way to secure an Internet-connected computer against
intruders: Make sure the operating system and software it runs are so old
that current hacking tools won't work on it.
Woody release manager Anthony Towns shares some information about the new
security infrastructure. This new infrastructure is a critical component
of the woody release.
Wired News covers the
National Security Agency's Security-Enhanced linux (SElinux). "NSA's
Wagner says that SELinux's adoption rate "has exceeded our original
expectations. This release has also caused developers of non-Linux systems
to consider incorporating similar controls based upon our earlier
prototypes.""
If you haven't seem it already, this week's LWN.net leading item
is about SELinux and patents.
Vnunet covers
cross-platform viruses, which might be able to infect Linux systems.
"Although the virus was not the first of its kind to infect both
Windows and Linux machines, it apparently moved virus-writing techniques
"yet another step up the scale of complexity"."
Robert Lemos
worries
that although the Simile.D cross-platform virus isn't much of a threat,the
techniques it uses may be bad news. Simile.D is one of the few,
so far, viruses with the
"ability to jump from Windows to Linux and back again."
After Monday, June 17 2002, SuSE will will not provide security
fixes for SuSE Linux 6.4 any more. With SuSE 8.0 in release, the
announcement isn't a surprise.
The Bugzilla team has issued
a security advisory encouaging
all Bugzilla installations to
upgrade to the latest versions
of Bugzilla released Jun 8th, 2002, 2.14.2 and 2.16rc2.
"
Various security issues of varying importance have been fixed in
Bugzilla 2.14.2. Most of these were fixed already in 2.16rc1, a few
were not."
Tom Vogt has reported a frustratring problem with Mozilla 1.0 and earlier.
A maliciously crafted stylesheet can cause the X server to crash or
consume memory until stopped with a kill -9. Either way, it takes the
desktop with it when it goes.
Ulf Harnhammar reports that CBMS
"is littered with XSS (Cross-site Scripting) and SQL Injection holes."
CBMS is a full featured client/billing system designed from the ground up to cater specifically to hosting providers. The softwares is a PHP script package which uses MySQL. Notable features include automated invoicing, client search, multiple customizable packages for clients and a client viewable real time invoice.
Steve Gustin has reported multiple vulnerabilities in the csNews.cgi
script from CGIscript.net
"Contact vendor for updated version, only allow
completely trusted users to access the application,
disable access to .style and *db files through
Apache .htaccess files."
Nick Cleaton reports that the
AlienForm2
form to email gateway has
a flaw which, subject to file permissions, allows
an attacker to read and modify
"any file on the server."
A suggested fix is included.
Guillaume Pelat has reported format string vulnerabilities
in mmmail 0.0.13 and
mmftpd 0.0.7. Updated versions
which fix both problems are available.
Mmmail supplies SMTP and POP3 daemons using MySQ and other features.
Mmftpd is a secure FTP server
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
The SMB dissector could potentially dereference a NULL pointer in two cases.
The X11 dissector could potentially overflow a buffer while parsing keysyms.
The DNS dissector could go into an infinite loop while reading a malformed packet.
The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors.
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
We encourage dhcp users to upgrade, disable dhcp or, at a minimum,
consider
using ingress filtering as described in the CERT advisory.
(First LWN
report: May 16).
Note: Distributions which use version 2 of ISC DHCP, such as Red Hat
Linux,
are not vulnerable.
Ethereal 0.9.3 fixed three
packet handling vulnerabilities present in 0.9.2 when it was released
by the ethereal team on March 30th.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. (First LWN
report: May 2).
Update: The May 19, 2002 release of Ethereal 0.9.4
fixes four potential security issues in Ethereal 0.9.3.Please see
the new vulnerability for more information.
Fetchmail versions prior to 5.9.10 have a buffer overflow vulnerability
that may be exploited by a malicious IMAP server.
The fetchmail client allocated memory to store the sizes of the
messages it is attempting to retrieve based on
a message count provided by the IMAP server.
A malicious IMAP server could provide an artifically
large message count to force the
fetchmail process to write data outside of the allocated memory. (First LWN
report: May 9).
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
Ghostscript may be used to execute arbitrary commands with a maliciously formed PostScript file.
Since ghostscript is frequently used while printing documents, updating
is strongly recommended.
The vulnerability has been fixed in the 6.53 source release of GNU Ghostscript.
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23).
Versions of
imlib prior to 1.9.13 used the NetPBM package in ways which
"make it possible
for attackers to create image files such that when loaded via software
which uses Imlib, could crash the program or potentially allow arbitrary
code to be executed."
(First LWN
report: March 28).
Cross-site scripting vulnerability in Horde/IMP 2.2.7 and 3.0
Package(s):
imp horde/imp
CVE #(s):
Created:
May 21, 2002
Updated:
June 19, 2002
Description:
Version 2.2.8 of IMP has been released, it
fixes some vulnerabilities. "The Horde team announces the
availability of IMP 2.2.8, which prevents some potential cross-site
scripting (CSS) attacks." Upgrading
to IMP 3.1 or, at least, 2.2.8 is recommended
(First LWN
report: April 11, 2002).
Update: IMP 3.0, which was initially believed to be
immune, is also vulnerable. The problem
is fixed in IMP 3.1.
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism.
The OpenSSH developers have
released OpenSSH 3.2.2. Security fixes in this release are:
"
- fixed buffer overflow in Kerberos/AFS token passing
- fixed overflow in Kerberos client code
- sshd no longer auto-enables Kerberos/AFS
- experimental support for privilege separation [...]
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger"
(First LWN report: May 23).
UTF8 interaction bug in the perl-Digest-MD5 module
Package(s):
perl-Digest-MD5
CVE #(s):
Created:
June 5, 2002
Updated:
June 5, 2002
Description:
Versions prior to 2.20 of the perl-Digest-MD5 module have a bug
in the UTF8 interaction with perl that produces UTF8 strings
with improper MD5 digests.
(First LWN
report: May 16).
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
Version 3.5.2 fixed a
buffer overflow vulnerability in all prior versions. However,
newer versions, including 3.6.2, are vulnerable to another
buffer overflow in the AFS RPC functions that was reported by
Nick Cleaton.
(First LWN
report: May 9).
Both problems appear to have been reported and fixed in FreeBSD some months
ago. The CIAC
report on the vulnerability in versions prior to 3.5.2 is dated October
31, 2000. Nick Cleaton's FreeBSD
security advisory on the AFS RPC bug, and reference to a fix for
FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21,
2002.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
webalizer: reverse DNS buffer overflow vulnerability
Package(s):
webalizer
CVE #(s):
Created:
May 21, 2002
Updated:
January 27, 2003
Description:
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable.
This vulnerability impacts all major Linux vendors. It may
impact every Linux installation on Earth.
Updates are required to zlib and any
packages that were statically built with the zlib code.
(First LWN report: March 14).
LinuxSecurity
describes the vulnerability and coordinated distributor efforts
in detail.
"Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc,
vnc, and many other programs that have the ability to use network
compression are potentially vulnerable."
Updating is recommended.
As always, please proceed with caution when applying updates to
the kernel.
Tcpserver is a secure replacement for inetd. This
article is
of interest to anyone who wants to use tcpserver on Linux allthough
the it is, of course, specific to Mandrake Linux.
A patch is available for Pine 4.44 that closes user name
and id leaks due to automatic header line insertion.
The patch is intended for use by
"help desks and other role accounts."
Eric "Loki" Hines has written a
"Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng
Servers with the Snort Intrusion Detection System."
The event is being held 31
July through 1 August 2002 in Las Vegas, Nevada, USA.
"
Richard Clarke, Special Advisor to President Bush for Cyberspace
Security, will be one of the keynotes headlining the event."
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
