OpenSSH 3.4 was released just five days
after the release of version 3.3.
The release closes "at least one major security vulnerability"; upgrading to 3.4 is recommended.
Please see the vulnerability report for a list of security alerts from distributors as they become available.
OpenSSH provides a critical entry point to many systems on the net;
this could be nasty. If you plan to wait for an update from your distributor, please consider
setting UsePrivilegeSeparation yes or ChallengeResponseAuthentication no
in sshd_config to avoid the vulenrability. UsePrivilegeSeparation is
only available in OpenSSH versions 3.2 or 3.3. Setting ChallengeResponseAuthentication may impeed customary access for some
or all of your users.
Version 3.3 firmed up "privilege separation" support, and made it the default. Essentially, privilege separation works by splitting the ssh server into two cooperating processes. One process is charged with talking to the network; it runs without privilege. The other process sits back, makes decisions, and hands out privileges when it's convinced that is the right thing to do.
The end result is that there is little to be achieved by compromising the "front line" process. Even if somebody does discover a vulnerability in that code, it can not be used to gain access to the system. The privileged process, by virtue of its simplicity and its separation from the network, is far easier to verify as being truly secure.
The 3.4 release closes the serious vulnerability described in advisories from
OpenSSH and ISS.
The vulnerability prompted a week long code audit by the OpenSSH team
which resulted in "many other fixes.
We believe that some of those fixes are likely to be important security fixes."
The Apache Software Foundation has issued an
updated advisory on the "chunk handling" vulnerability. Now that a
32-bit remote exploit is circulating, an Apache upgrade is suggested even
more urgently than before.
Meanwhile, ISS has sent out a response to the
extensive criticism it has taken for having announced the vulnerability
without allowing the ASF (or anybody else) any time to prepare patches.
"Due to the general nature of open-source and its openness, the
virtual organizations behind the projects do not have an ability to enforce
strict confidentiality. By notifying the open source project, its nature
is that the information is quickly spread in the wild disregarding any type
of quiet period. ISS X-Force minimizes the quiet period and delay of
protecting customers by providing a security patch."
If you haven't already, see this week's Leading Items for our opinion.
Two interesting papers considering the relationship between security and open source
were presented at the recent conference on
Open Source Software: Economics, Law and Policy
in
Toulouse (France).
Ross Anderson: "Security in Open versus Closed Systems - The Dance of Boltzmann, Coase and Moore" (PDF format)
However, there are more pressing security problems for the open source
community. The interaction between security and openness is entangled
with attempts to use security mechanisms for commercial advantage -
to entrench monopolies, to control copyright, and above all to control
interoperability. As an example, I will discuss TCPA, a recent initiative
by Intel and others to build DRM technology into the PC platform.
Roger Needham: "Security and Open Source" (PDF format)
Security problems in software are of course an extremely bad thing, regardless
of the business model under which the software was written. I want to consider
why anybody thinks that the business model matters, and whether there is
evidence that it does. I shall also look somewhat to the future.
Jarno Huuskonen reports a low risk possible local file overwrite (symlink attack) in Acrobat Reader 4.05.
Acrobat Reader 5.05 for Linux is available from Adobe (registration required). Some Linux
distributions include version 4.05.
The Duma Photo Gallery System
has been officially unmaintained since July 30, 2000. This week,
a vulnerability was reported that may allow an attacker to use DPGS to
overwrite files on the web server.
Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.
The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
OpenSSH 3.2 and later have the bug in input validation
but prevent the privilege escalation if privilege separation is enabled by setting
UsePrivilegeSeparation in sshd_config.
Version 3.3 was the first release to turn on "privilege separation" by default Essentially, privilege separation works by splitting the ssh server into two cooperating processes. One process is charged with talking to the network; it runs without privilege. The other process sits back, makes decisions, and hands out privileges when it's convinced that is the right thing to do.
CERT Advisory: CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling
The release of OpenSSH
3.3 includes greatly improved support for privilege separation,
which is now enabled by default.
The process charged with talking to the network; now runs without privilege.
Upgrading is strongly recommended (see below).
Previously any corruption in the sshd could lead to an immediate remote root compromise if it happened before authentication, and to local root compromise if it happend after authentication. Privilege Separation will make such compromise very difficult if not impossible.
Or to put it into the words of Theo de Raadt: "Privilege Separation will one day save our asses." So, turn it on now.
When upgrading with a 2.2.x kernel, disabling compression is recommended
to avoid this bug which causes sshd to log a fatal mmap argument error then crash.
Update:
According to this OpenSSH Security Advisory
OpenSSH 3.3 has a serious privilege escalation vulnerable.
Please see the
new vulnerability report
for more information and a list of available alerts.
It is past time to upgrade your Apache servers. A worm which takes advantage of the this vulnerability has been sighted, and its source has been publicly posted.
An apache httpd bug related to chunked encoding presents a denial
of service vulnerability. For some platforms,
including both 32-bit and 64-bit Linux, it is also a potential remote exploit vulnerability.
A "carefully crafted invalid request" may be
used to trigger the bug. The problem is fixed in Apache
2.0.39 and 1.3.26, which may be downloaded
from here.
For more information, see the advisories from CERT and the Apache Group.
This vulnerability has been widely publicized. Applying a patch from your vendor or upgrading to the latest version from the Apache Software Foundation is strongly encouraged. Avoid patches from other sources; at least one patch that
does not address the full scope of the problem has been circulated.
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
We encourage dhcp users to upgrade, disable dhcp or, at a minimum,
consider
using ingress filtering as described in the CERT advisory.
(First LWN
report: May 16).
Note: Distributions which use version 2 of ISC DHCP, such as Red Hat
Linux,
are not vulnerable.
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
The SMB dissector could potentially dereference a NULL pointer in two cases.
The X11 dissector could potentially overflow a buffer while parsing keysyms.
The DNS dissector could go into an infinite loop while reading a malformed packet.
The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors.
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23).
Cross-site scripting vulnerability in Horde/IMP 2.2.7 and 3.0
Package(s):
imp horde/imp
CVE #(s):
Created:
May 21, 2002
Updated:
June 19, 2002
Description:
Version 2.2.8 of IMP has been released, it
fixes some vulnerabilities. "The Horde team announces the
availability of IMP 2.2.8, which prevents some potential cross-site
scripting (CSS) attacks." Upgrading
to IMP 3.1 or, at least, 2.2.8 is recommended
(First LWN
report: April 11, 2002).
Update: IMP 3.0, which was initially believed to be
immune, is also vulnerable. The problem
is fixed in IMP 3.1.
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism.
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
webalizer: reverse DNS buffer overflow vulnerability
Package(s):
webalizer
CVE #(s):
Created:
May 21, 2002
Updated:
January 27, 2003
Description:
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable.
jose nazario has pointed us to the announcement of MOPS, a code auditing tool. "I wanted to announce a first prototype release of MOPS, a tool designed
to help find security bugs in C programs and verify their absence.
MOPS lets you statically (at compile time) verify facts about the ordering
of security-critical operations in the program."
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
