By Jake Edge
August 12, 2009
For many years, the Nessus
network vulnerability scanner was a tool in the toolbox of most
free-software-oriented administrators. It provided a very useful,
GPL-licensed scanner to detect various network vulnerabilities,
misconfigurations, and other types of security problems in the network. But,
starting in late 2005 that all began to change, when Nessus 3.0 switched licenses, so folks
looking for a free software network scanner had to turn elsewhere.
There have been a number of attempts to fork the last GPL version of the
Nessus software (2.2), but the most successful to date has been the Open Vulnerability Assessment System (or
OpenVAS). The forked scanner has been making great strides to the point
where Debian's Nessus maintainer, Javier Fernández-Sanguino Peña, asked that
Nessus be removed from the unstable branch in favor of OpenVAS. In his message, he noted:
The main reason for this is that upstream is more
focused in maintaining it's non-free version of Nessus (labeled version '3')
than the free version (the 2.2.x branch). Additionally, most of the plugins
(i.e. security tests) are now non-free.
There are really two parts to a vulnerability scanner, a core scanner and a
set of plugins that implement network vulnerability tests (or NVTs). Much
like virus scanners, NVTs are constantly being added and updated, and are
available via network feeds. For a vulnerability scanner to be really
usable, NVTs must be available for older vulnerabilities as well as being
developed for new ones as they come along. In the thread on the
debian-security mailing list, Tim Brown reports that OpenVAS has reached that point:
In specific relation to remote testing, it has almost everything the old
Nessus 2 GPL feed had plus a good deal more. There are a number of plugin
developers who are [focused] only on this part of the picture. I can tell you
for example that there are checks that are in OpenVAS that are *not* in
Nessus 3/4 for example.
AFAIK the only plugins that are in Nessus 2 but not in OpenVAS are those which
Tenable have since claimed are not GPL and for these the OpenVAS team are
actively developing replacements.
Where Debian goes, other distributions are likely to follow, so we may see
Nessus removed in favor of OpenVAS elsewhere as well. It is unfortunate
that Tenable, the company behind Nessus, was unable to find a way to
continue with a GPL-licensed Nessus, but the rise of OpenVAS shows the
power of code that is available under a free software license. That is not
to say that Tenable did anything wrong, it was their code and thus their
choice; in fact, the community should be grateful that they provided the
core of a nice tool for as long as they did. But, because the GPL allows
forks like OpenVAS, Nessus users still had a free software path to follow
once Tenable decided
to go in a different direction.
The main stumbling block to getting to this point has been the NVTs
released for Nessus. Those
are governed by a separate license, that made it somewhat legally dubious,
at best, to use them in OpenVAS. So, the OpenVAS developers had to tackle that
problem themselves. Based on Brown's message, it would seem they have
gotten most of the way there, and have an active community to continue that
work into the future.
Comments (1 posted)
Brief items
Wired
looks at the use of Flash cookies implemented by Adobe's browser plugin. "
Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called re-spawning in homage to video games where zombies come back to life even after being 'killed,' the report found. So even if a user gets rid of a websites tracking cookie, that cookies unique ID will be assigned back to a new cookie again using the Flash data as the 'backup.'" See also
this 2008 post from Gnash developer Rob Savoye, as well as an
LWN article from last October, for more information on Flash cookies.
Comments (18 posted)
New vulnerabilities
apr: arbitrary code execution
| Package(s): | apr |
CVE #(s): | CVE-2009-2412
|
| Created: | August 6, 2009 |
Updated: | May 10, 2010 |
| Description: |
From the Mandriva alert:
A vulnerability has been identified and corrected in apr and apr-util:
Fix potential overflow in pools (apr) and rmm (apr-util), where size
alignment was taking place (CVE-2009-2412). |
| Alerts: |
|
Comments (none posted)
camlimages: arbitrary code execution
| Package(s): | camlimages |
CVE #(s): | CVE-2009-2660
|
| Created: | August 10, 2009 |
Updated: | June 1, 2010 |
| Description: |
From the Debian advisory:
Tielei Wang discovered that CamlImages, an open source image processing
library, suffers from several integer overflows which may lead to a
potentially exploitable heap overflow and result in arbitrary code
execution. This advisory addresses issues with the reading of JPEG and
GIF Images, while DSA 1832-1 addressed the issue with PNG images.
|
| Alerts: |
|
Comments (3 posted)
fetchmail: SSL impersonation vulnerability
| Package(s): | fetchmail |
CVE #(s): | CVE-2009-2666
|
| Created: | August 6, 2009 |
Updated: | June 2, 2010 |
| Description: |
From the slackware alert:
This update fixes an SSL NUL prefix impersonation attack through NULs in a
part of a X.509 certificate's CommonName and subjectAltName fields. |
| Alerts: |
|
Comments (none posted)
java-1.6.0-openjdk: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk |
CVE #(s): | CVE-2009-2475
CVE-2009-2476
CVE-2009-2625
CVE-2009-2670
CVE-2009-2671
CVE-2009-2672
CVE-2009-2673
CVE-2009-2674
CVE-2009-2675
CVE-2009-2689
CVE-2009-2690
CVE-2009-1896
|
| Created: | August 7, 2009 |
Updated: | November 30, 2009 |
| Description: |
From the Fedora advisory:
CVE-2009-2475 OpenJDK information leaks in mutable variables
CVE-2009-2476 OpenJDK OpenType checks can be bypassed
CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service
CVE-2009-2670 OpenJDK Untrusted applet System properties access
CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks
CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket
connections
CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow
CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow
CVE-2009-2689 OpenJDK JDK13Services grants unnecessary privileges
CVE-2009-2690 OpenJDK private variable information disclosure
CVE-2009-1896 openjdk/netx grants privileges for signed jars to bundled
unsigned jars
|
| Alerts: |
|
Comments (none posted)
libvorbis: denial of service
| Package(s): | libvorbis |
CVE #(s): | CVE-2009-2663
|
| Created: | August 11, 2009 |
Updated: | August 17, 2010 |
| Description: |
From the CVE entry: libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. |
| Alerts: |
|
Comments (none posted)
libxml: multiple vulnerabilities
| Package(s): | libxml |
CVE #(s): | CVE-2009-2414
CVE-2009-2416
|
| Created: | August 11, 2009 |
Updated: | September 22, 2010 |
| Description: |
From the Red Hat advisory:
A stack overflow flaw was found in the way libxml processes the root XML
document element definition in a DTD. A remote attacker could provide a
specially-crafted XML file, which once opened by a local, unsuspecting
user, would lead to denial of service (application crash). (CVE-2009-2414)
Multiple use-after-free flaws were found in the way libxml parses the
Notation and Enumeration attribute types. A remote attacker could provide
a specially-crafted XML file, which once opened by a local, unsuspecting
user, would lead to denial of service (application crash). (CVE-2009-2416)
|
| Alerts: |
|
Comments (none posted)
mantis: database credentials leak
| Package(s): | mantis |
CVE #(s): | |
| Created: | August 10, 2009 |
Updated: | August 12, 2009 |
| Description: |
From the Debian advisory:
It was discovered that the Debian Mantis package, a web based bug
tracking system, installed the database credentials in a file with
world-readable permissions onto the local filesystem. This allows
local users to acquire the credentials used to control the Mantis
database.
|
| Alerts: |
|
Comments (none posted)
memcached: heap-based buffer overflow
| Package(s): | memcached |
CVE #(s): | CVE-2009-2415
|
| Created: | August 7, 2009 |
Updated: | December 11, 2009 |
| Description: |
From the Debian advisory:
Ronald Volgers discovered that memcached, a high-performance memory object
caching system, is vulnerable to several heap-based buffer overflows due
to integer conversions when parsing certain length attributes. An
attacker can use this to execute arbitrary code on the system running
memcached (on etch with root privileges).
|
| Alerts: |
|
Comments (none posted)
squid3: multiple denial of service vulnerabilities
| Package(s): | squid3 |
CVE #(s): | CVE-2009-2622
CVE-2009-2621
|
| Created: | August 10, 2009 |
Updated: | August 18, 2009 |
| Description: |
From the Mandriva advisory:
Due to incorrect buffer limits and related bound checks Squid is
vulnerable to a denial of service attack when processing specially
crafted requests or responses (CVE-2009-2621).
Due to incorrect data validation Squid is vulnerable to a denial
of service attack when processing specially crafted responses
(CVE-2009-2622).
|
| Alerts: |
|
Comments (none posted)
subversion: heap overflows
| Package(s): | subversion |
CVE #(s): | CVE-2009-2411
|
| Created: | August 7, 2009 |
Updated: | December 8, 2009 |
| Description: |
From the subversion advisory:
Subversion clients and servers have multiple heap overflow issues in
the parsing of binary deltas. This is related to an allocation
vulnerability in the APR library used by Subversion.
|
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2009-2560
CVE-2009-2562
CVE-2009-2563
|
| Created: | August 6, 2009 |
Updated: | May 28, 2010 |
| Description: |
From the National Vulnerability Database entries:
CVE-2009-2560:
"Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote attackers to cause a denial of service (crash) via unspecified vectors in the Bluetooth L2CAP, RADIUS, or MIOP
dissectors."
CVE-2009-2562:
"Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 through 1.2.0 allows remote attackers to cause a denial of service (crash) via unknown vectors."
CVE-2009-2563:
"Unspecified vulnerability in the Infiniband dissector in Wireshark 1.0.6 through 1.2.0, when running on unspecified platforms, allows remote attackers to cause a denial of service (crash) via unknown vectors."
|
| Alerts: |
|
Comments (none posted)
wordpress: remote admin password reset
| Package(s): | wordpress |
CVE #(s): | |
| Created: | August 12, 2009 |
Updated: | August 12, 2009 |
| Description: |
From the advisory on full-disclosure:
A web browser is sufficient to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
