A press release from IBM announces its "The Distributed Wireless Security
Auditor" (DWSA) system. "The DWSA system, which runs on Linux on
desktops and laptops, can accurately pinpoint the location of any rogue
access points, enabling network personnel to quickly find and then fix or
remove them, unlike other wireless auditors that require personnel to
perform time consuming physical searches by walking around the
site."
Here's an article about IBM's recent press release, outlining their self-diagnostic wireless tool. "The IBM software sits on laptops and PCs, analyzing traffic on an internal 802.11 wireless network and sending data to a centralized server, said Dave Safford, manager of the global security analysis lab at IBM Research in Hawthorne, N.Y."
vnunet has posted an article about
SELinux. "It may seem odd that the NSA has developed a security
module. In the X-Files world of government agencies, the NSA is often
associated with code breaking, but the other aspect of its role is code
making, hence the interest in a secure Linux."
Bruce Schneier's CRYPTO-GRAM newsletter for June is out; the main topic
this time around is making intelligence organizations work better to
prevent attacks in the future. "My opinion has been that
it is largely unnecessary to trade civil liberties for security, and that
the best security measures -- reinforcing the airplane cockpit door,
putting barricades and guards around important buildings, improving
authentication for telephone and Internet banking -- have no effect on
civil liberties. Broad surveillance is a mark of bad security."
A bug triggered by a huge font setting, from a CSS, results in
a X windows crash or an unusable system. The problem is in Mozilla 1.0 and earlier.
Also see the bugzilla entry.
IGMPv2 is a protocol used
by IP hosts to report their multicast group memberships to routers.
Krishna N. Ramachandran has reported a IGMP related local denial of service
vulnerability in the 2.4.18 kernel. It could be a problem for people using
Linux as a high-end router. It won't affect most users, The full
description is available here. The solution is
to "drop All IGMP packets that are not multicast
ethernet addresses."
It has been reported that the Mandrake Linux 8.2 "default security settings leave users' home directories world readable." The suggested solution is to
"use the
Mandrake Control Center, security settings section, and make sure the
level is set to at least "High", or manually enter 'msec 3' via CLI"
Ulf Harnhammar reports multiple vulnerabilities in the BasiliX webmail application based on PHP, IMAP and MySQL. The four vulnerabilities are: potential access
to any file on the web server cross-site scripting issues, insecure storage of attachments and SQL Injection holes. Versions 1.1.0 and all previous versions are vulnerable.
Ahmet Sabri Alper reported an information disclosure vulnerabilty
in ZenTrack v2.0.3, v2.0.2beta and older.
A maliciously crafted HTTP request may be used to reveal the path
to the web root and "maybe some more sensitive information."
Tim Vandermeersch reports that PHP Address 0.2e
has a vulnerability which allows a crafted URL to include
any php file on the server.
The problem is fixed in PHP Address 0.2f (17.07.2002).
PHP Address is a collection of PHP scripts
for maintaing a small web-based address-database.
A vulnerabilty was reported in "the webMathematica software which allows remote
clients (web surfers) to read an arbitrary file on the server (assuming the
httpd-user has permission)."
A version of webMathematica which fixes the problem is available from the
vendor, Wolfram Research.
It is past time to upgrade your Apache servers. A worm which takes advantage of the this vulnerability has been sighted, and its source has been publicly posted.
An apache httpd bug related to chunked encoding presents a denial
of service vulnerability. For some platforms,
including both 32-bit and 64-bit Linux, it is also a potential remote exploit vulnerability.
A "carefully crafted invalid request" may be
used to trigger the bug. The problem is fixed in Apache
2.0.39 and 1.3.26, which may be downloaded
from here.
For more information, see the advisories from CERT and the Apache Group.
This vulnerability has been widely publicized. Applying a patch from your vendor or upgrading to the latest version from the Apache Software Foundation is strongly encouraged. Avoid patches from other sources; at least one patch that
does not address the full scope of the problem has been circulated.
Cross-site scripting vulnerability in Horde/IMP 2.2.7 and 3.0
Package(s):
imp horde/imp
CVE #(s):
Created:
May 21, 2002
Updated:
June 19, 2002
Description:
Version 2.2.8 of IMP has been released, it
fixes some vulnerabilities. "The Horde team announces the
availability of IMP 2.2.8, which prevents some potential cross-site
scripting (CSS) attacks." Upgrading
to IMP 3.1 or, at least, 2.2.8 is recommended
(First LWN
report: April 11, 2002).
Update: IMP 3.0, which was initially believed to be
immune, is also vulnerable. The problem
is fixed in IMP 3.1.
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
We encourage dhcp users to upgrade, disable dhcp or, at a minimum,
consider
using ingress filtering as described in the CERT advisory.
(First LWN
report: May 16).
Note: Distributions which use version 2 of ISC DHCP, such as Red Hat
Linux,
are not vulnerable.
Ethereal 0.9.3 fixed three
packet handling vulnerabilities present in 0.9.2 when it was released
by the ethereal team on March 30th.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. (First LWN
report: May 2).
Update: The May 19, 2002 release of Ethereal 0.9.4
fixes four potential security issues in Ethereal 0.9.3.Please see
the new vulnerability for more information.
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
The SMB dissector could potentially dereference a NULL pointer in two cases.
The X11 dissector could potentially overflow a buffer while parsing keysyms.
The DNS dissector could go into an infinite loop while reading a malformed packet.
The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors.
Fetchmail versions prior to 5.9.10 have a buffer overflow vulnerability
that may be exploited by a malicious IMAP server.
The fetchmail client allocated memory to store the sizes of the
messages it is attempting to retrieve based on
a message count provided by the IMAP server.
A malicious IMAP server could provide an artifically
large message count to force the
fetchmail process to write data outside of the allocated memory. (First LWN
report: May 9).
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
Ghostscript may be used to execute arbitrary commands with a maliciously formed PostScript file.
Since ghostscript is frequently used while printing documents, updating
is strongly recommended.
The vulnerability has been fixed in the 6.53 source release of GNU Ghostscript.
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23).
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism.
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
webalizer: reverse DNS buffer overflow vulnerability
Package(s):
webalizer
CVE #(s):
Created:
May 21, 2002
Updated:
January 27, 2003
Description:
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable.
This tutorial by Linux Journal offers ideas to negotiate security and
scalability issues with clusters. "After we connected the two clusters through the the VPN, users were able to log in to the master machine on the first cluster and submit jobs on both of the clusters through the queue system."
Niels Provos has released systrace for
OpenBSD and NetBSD. "Some work has started on a GNU/Linux port.". Also see, this post regarding systrace and the recent apache vulnerabilities.
Systrace provides
confinement of complex or untrusted binary applications.
interactive policy generation with graphical user interface.
support for different emulations:
GNU/Linux, BSDI, etc..
non-interactive policy enforcement.
remote monitoring and intrusion detection.
automatic policy generation.
With a correctly configured policy the impact of programming errors in
system daemons can be constrained significantly.
The Fourth International Conference on Information and
Communications Security (ICICS 2002) will be
held in Singapore, December 9-12, 2002. The call for papers
closes 1 July 2002.
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
