Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
|
|
| |
|
| |
Security
Security news
The Sendmail Vulnerability
[This article was contributed by Tom Owen]
Internet Security Systems
issued this
sendmail
vulnerability report
by Mark Dowd on March 3rd.
In summary, a legal RFC822 email message with excessive comments in address
headers can
cause any current version of
sendmail
to overflow a heap memory area.
The LWN
vulnerability entry
has links to patches, and to the 8.12.8 release which
contains the fix.
SANS has set up a
page
with a background information.
Fixes are necessary for all sendmails which may see mail regardless of
whether they are behind the firewall or without a public address.
Eric Allman, the author of sendmail
has emphasised that
" Everyone should patch as soon as possible, regardless of
platform."
This overflow has an pair of ugly aggravations:
- Sendmail normally runs full time as root. It needn't,
but that's the way most default sendmail.cf files are written
and this allows a sucessful exploit to take full control of the machine.
- Direct access to port 25 is not needed to exploit the vulnerability.
Even a machine with a private, non-routable IP address can be reached from
the Internet
provided the crafted -- but legal --
email message can be relayed to the ultimate target by other systems.
To be effective, the exploit has to be able to run asynchronously and
phone home out through the firewall before the attacker can take direct
control,
but that should be possible if the target machine is allowed to browse the web,
and of course it's easy for an internal attacker.
This is not the time to join the
argument
about the extent to which sendmail dominates Internet email.
A lot of MX and outbound smart hosts are certainly running sendmail,
but the scale of the problem really hits with machines that are not intended
to be MTAs.
When installing most distributions as a workstation or an application server,
it takes a bit of thought not to install sendmail.
Few admins are certain that there's nothing --
no vital little cron job or script --
that requires a local SMTP server.
With the huge majority of machines on a private subnet or shielded by the
firewall,
it's simpler and it seems safe to install the MTA offered -- usually
sendmail -- just
on the off chance.
Every one of of these machines now needs to be assessed, and its sendmail
patched or removed.
For individual machines, the fix isn't hard.
Most distributions have
patches
out,
and with few dependencies, it's a rather easy package to compile and install
from scratch.
If that's necessary, it's probably simplest to move straight to 8.12.8 rather
than
apply the patches for earlier versions.
Further out, there are deeper questions for users and distributions.
Even if sendmail is still the right solution in 2003, is it right to run it as
root?
Abandoning sendmail is a well-trodden route.
The venerable system is partly a prisoner of the mail nightmare of the early
Internet.
Life is easier now without bang paths and BITNET, and
modern MTAs benefit from simpler or absent rewriting and use of the
least-privilege
concepts that have been taught by earlier security problems.
Qmail and
Postfix both make a fetish of security
while still being easier than sendmail -- in simple cases vastly easier -- to
set up,
and there are
others.
Unfortunately, mail admins who move their mail servers to other MTAs
actually got
little protection if they continued to accept the default MTA on workstations.
Sites in this position need filters now to stop any exploit reaching the
internal network,
and then they need to fix those machines as well.
Example filters
for Exim
and
for
Postfix
will need to be reviewed when actual exploits appear.
And those exploits will certainly appear. A proof of concept exploit has already been
posted, and more unpleasant varieties are certainly under development.
This is the kind of problem that large-scale Internet worms are made of.
If you have not yet applied your patches, now would be a good time to do
it.
Comments (5 posted)
New vulnerabilities
eterm, vte: dangerous interception of escape sequences
| Package(s): | vte, eterm |
CVE #(s): | CAN-2003-0021
CAN-2003-0068
CAN-2003-0070
|
| Created: | March 3, 2003 |
Updated: | April 1, 2003 |
| Description: |
From the
advisory:
"Many of the features supported by popular terminal emulator software
can be abused when un-trusted data is displayed on the screen. The impact
of this abuse can range from annoying screen garbage to a complete system
compromise. All of the issues below are actually documented features,
anyone who takes the time to read over the man pages or source code could
use them to carry out an attack." |
| Alerts: |
|
Comments (none posted)
file - memory allocation problem, stack overflow
| Package(s): | file |
CVE #(s): | CAN-2003-0102
|
| Created: | March 4, 2003 |
Updated: | June 4, 2003 |
| Description: |
Jeff Johnson found a memory allocation problem and David Endler found a
stack overflow corruption problem in the file "Automatic File Content
Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section
and program header handling in file version 3.40. The folks at OpenPKG
believe that file versions without those modifications are vulnerable to
memory allocation and stack overflow problems which put security at risk. |
| Alerts: |
|
Comments (none posted)
mhc - insecure temporary file
| Package(s): | mhc |
CVE #(s): | |
| Created: | February 28, 2003 |
Updated: | March 5, 2003 |
| Description: |
It has been discovered that adb2mhc from the mhc-utils package has a temporary file vulnerability. The
default temporary directory uses a predictable name, allowing a local attacker to overwrite arbitrary
files. |
| Alerts: |
|
Comments (none posted)
sendmail - Remote Buffer Overflow
| Package(s): | sendmail |
CVE #(s): | CAN-2002-1337
|
| Created: | March 3, 2003 |
Updated: | March 10, 2003 |
| Description: |
ISS has turned
up an unpleasant problem with sendmail; by sending a properly crafted
message, an attacker can run arbitrary code as root on a target
system. This is the sort of hole that can lead to all sorts of problems,
including widespread breakins and Internet worms. Everybody who is running
sendmail should upgrade to version 8.12.8 at the first
opportunity. Note that systems behind firewalls need to be fixed too.
See CERT Advisory CA-2003-07 for additional
information. |
| Alerts: |
|
Comments (2 posted)
snort - buffer overflow
| Package(s): | snort |
CVE #(s): | CAN-2003-0033
|
| Created: | March 5, 2003 |
Updated: | April 4, 2003 |
| Description: |
A buffer overflow in the snort intrusion detection system can lead to
remote code execution and/or disabling of intrusion detection. The 1.9.1
release fixes the problem. See this
advisory for more information. |
| Alerts: |
|
Comments (none posted)
squirrelmail - cross-site scripting vulnerability
| Package(s): | squirrelmail |
CVE #(s): | CAN-2002-1276
CAN-2002-1341
|
| Created: | March 5, 2003 |
Updated: | March 5, 2003 |
| Description: |
A new cross-site scripting vulnerability afflicts Squrrelmail 1.2.10 and prior. |
| Alerts: |
|
Comments (none posted)
tcpdump - infinite loop
| Package(s): | tcpdump |
CVE #(s): | CAN-2003-0108
|
| Created: | February 27, 2003 |
Updated: | May 1, 2003 |
| Description: |
Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a
powerful tool for network monitoring and data acquisition. An
attacker is able to send a specially crafted network packet which
causes tcpdump to enter an infinite loop.
In addition to the above problem the tcpdump developers discovered a
potential infinite loop when parsing malformed BGP packets. They also
discovered a buffer overflow that can be exploited with certain
malformed NFS packets. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apcupsd - remote root vulnerability and buffer overflows
| Package(s): | apcupsd |
CVE #(s): | CAN-2003-0098
CAN-2003-0099
|
| Created: | February 24, 2003 |
Updated: | April 3, 2003 |
| Description: |
From the MandrakeSoft
advisory:
A remote root vulnerability in slave setups and some buffer overflows in
the network information server code were discovered by the apcupsd
developers. They have been fixed in the latest unstable version, 3.10.5
which contains additional enhancements like USB support, and the latest
stable version, 3.8.6.
There are a few changes that need to be noted, such as the port has changed
from port 7000 to post 3551 for NIS, and the new config only allows access
from the localhost. Users may need to modify their configuration files
appropriately, depending upon their configuration. |
| Alerts: |
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
BIND8: Multiple vulnerabilities
Comments (1 posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
BitchX - denial of service
| Package(s): | BitchX |
CVE #(s): | |
| Created: | February 20, 2003 |
Updated: | May 26, 2003 |
| Description: |
From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed
RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was
reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are
unaware of any patches or workarounds provided by panasync and or any
members of #bitchx |
| Alerts: |
|
Comments (none posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
CVS - exploitable double-free bug in the CVS server
| Package(s): | cvs |
CVE #(s): | CAN-2003-0015
|
| Created: | January 20, 2003 |
Updated: | April 7, 2003 |
| Description: |
CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this
bug could be used by anonymous users to gain write privileges. Users with
CVS write privileges can then use the Update-prog and Checkin-prog features
to execute arbitrary commands on the server.
All users of CVS are advised to upgrade to erratum packages which contain
patches to correct the double-free bug.
See also this CERT advisory |
| Alerts: |
|
Comments (none posted)
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 |
CVE #(s): | CAN-2003-0039
|
| Created: | January 28, 2003 |
Updated: | April 4, 2003 |
| Description: |
Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).
This patch introduces a new commandline switch ``-c maxcount'' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10''
or a smaller number, which will only create that many packets.
The dhcrelay program from the ``dhcp'' package does not seem to be
affected since DHCP packets are dropped if they were apparently
relayed already. |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
hypermail - buffer overflows
| Package(s): | hypermail |
CVE #(s): | CAN-2003-0057
|
| Created: | February 11, 2003 |
Updated: | February 27, 2003 |
| Description: |
Ulf Harnhammar discovered two problems in hypermail, a program to
create HTML archives of mailing lists.
An attacker could craft a long filename for an attachment that would
overflow two buffers when a certain option for interactive use was
given, opening the possibility to inject arbitrary code. This code
would then be executed under the user id hypermail runs as, mostly as
a local user. Automatic and silent use of hypermail does not seem to
be affected.
The CGI program mail, which is not installed by the Debian package,
does a reverse look-up of the user's IP number and copies the
resulting hostname into a fixed-size buffer. A specially crafted DNS
reply could overflow this buffer, opening the program to an exploit. |
| Alerts: |
|
Comments (none posted)
IM: creates temporary files insecurely
| Package(s): | im |
CVE #(s): | CAN-2002-1395
|
| Created: | December 3, 2002 |
Updated: | March 6, 2003 |
| Description: |
Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
- The impwagent program creates a temporary directory in an insecure
manner in /tmp using predictable directory names without checking
the return code of mkdir, so it's possible to seize a permission
of the temporary directory by local access as another user.
- The immknmz program creates a temporary file in an insecure manner
in /tmp using a predictable filename, so an attacker with local
access can easily create and overwrite files as another user.
|
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs |
CVE #(s): | CAN-2002-1281
CAN-2002-1282
|
| Created: | November 22, 2002 |
Updated: | March 14, 2003 |
| Description: |
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libmcrypt: buffer overflows and memory exhaustion
| Package(s): | libmcrypt |
CVE #(s): | CAN-2003-0031
CAN-2003-0032
|
| Created: | January 6, 2003 |
Updated: | February 27, 2003 |
| Description: |
libmcrypt versions prior to 2.5.5 contain a number of buffer overflow
vulnerabilities that stem from improper or lacking input validation. By
passing a longer than expected input to a number of functions (multiple
functions are affected) the user can successful make libmcrypt crash.
Another vulnerability is due to the way libmcrypt loads algorithms via
libtool. When the algorithms are loaded dynamically the each time the
algorithm is loaded a small (few kilobytes) of memory are leaked. In a
persistant enviroment (web server) this could lead to a memory exhaustion
attack that will exhaust all avaliable memory by launching repeated
requests at an application utilizing the mcrypt library. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
MySQL: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 10, 2003 |
| Description: |
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
OpenSSL: plaintext exposure vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2003-0078
|
| Created: | February 19, 2003 |
Updated: | March 6, 2003 |
| Description: |
A vulnerability has been found in OpenSSL that, given the right conditions,
could lead to the exposure of transactions in plain text. This problem
looks difficult to exploit (it requires a man-in-the-middle attack, among
other things), but one can't be too sure, so the OpenSSL project has
released versions 0.9.7a (with the fix and some new features) and 0.9.6i
(with fixes only). See the announcement for details. |
| Alerts: |
|
Comments (none posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
shadow-utils: useradd tool creates mail spools with incorrect permissions
| Package(s): | shadow-utils |
CVE #(s): | CAN-2002-1509
|
| Created: | February 20, 2003 |
Updated: | February 27, 2003 |
| Description: |
The shadow-utils package includes programs for converting UNIX password
files to the shadow password format, plus programs for managing user and
group accounts. One of these programs is useradd, which is used to create
or update new user information.
When creating a user account, the version of useradd included in Red Hat
Linux 7.2, 7.3, and 8.0 creates a mailbox file with incorrectly-set group
ownership. Instead of setting the file's group ownership to the 'mail'
group, it is set to the user's primary group.
On systems where other users share the same primary group, this would allow
those users to be able to read and write other user mailboxes. |
| Alerts: |
|
Comments (none posted)
slocate - buffer overflow
| Package(s): | slocate |
CVE #(s): | CAN-2003-0056
|
| Created: | February 5, 2003 |
Updated: | May 8, 2003 |
| Description: |
version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details.
|
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
traceroute-nanog: buffer overflow and root exploit
| Package(s): | traceroute-nanog/nkitb |
CVE #(s): | |
| Created: | November 12, 2002 |
Updated: | February 27, 2003 |
| Description: |
Traceroute is a tool that can be used to track packets in a TCP/IP network
to determine it's route or to find out about not working routers.
Traceroute-nanog requires root privilege to open a raw socket. It does not
relinquish these privileges after doing so. This allows a malicious user to
gain root access by exploiting a buffer overflow at a later point. |
| Alerts: |
|
Comments (none posted)
typespeed: buffer overflow
| Package(s): | typespeed |
CVE #(s): | |
| Created: | January 1, 2003 |
Updated: | June 17, 2003 |
| Description: |
A problem has been discovered in the typespeed, a game that lets you
measure your typematic speed. By overflowing a buffer a local
attacker could execute arbitrary commands under the group id games. |
| Alerts: |
|
Comments (none posted)
usermin - unauthorized access
| Package(s): | usermin, webmin |
CVE #(s): | |
| Created: | February 24, 2003 |
Updated: | February 27, 2003 |
| Description: |
- From announcement:
"Due to a remotely exploitable security hole being discovered that
effects all previous Webmin releases, version 1.070 is now available
for download from http://www.webmin.com/ and mirror sites. This
problem was reported by Cintia M. Imanishi, but fortunately there
have been no known malicious exploits of it yet. However, all users
should upgrade to 1.070 as soon as possible."
"Also available is Usermin 1.000 which fixes the exact same security
hole. It includes the same File Manager features, as well as support
for IMAP folders and an IMAP inbox in the Read Mail module."
Read this alert for the details. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
vnc - replay and cookie vulnerabilities
| Package(s): | vnc |
CVE #(s): | CAN-2002-1336
CAN-2002-1511
|
| Created: | February 21, 2003 |
Updated: | May 5, 2003 |
| Description: |
VNC is a tool for providing a remote graphical user interface. Two
vulnerabilities have been found in versions of VNC shipped by Red Hat.
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.
The VNC DES authentication scheme is implemented using a challenge-response
architecture, producing a random and different challenge for each
authentication attempt. A bug in the function for generating the random
challenge caused the random seed to get reset to the current time on every
authentication attempt. Therefore, two authentication attempts within the
same second could receive the same challenge. An eavesdropper could
exploit this vulnerability by replaying the response, thereby gaining
authentication.
All users of VNC are advised to upgrade to these erratum packages, which
contain patches to correct these issues. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
| |
|