Brief items
Congratulations to the
Open Web Application Security Project on this, its first release.
OWASP's “Guide to Building Secure Web Applications" is now available in
HTML or
PDF format.
The Guide covers various web application security
topics from architecture to preventing attack
specifics like cross site scripting, cookie
poisoning and SQL injection. Its 80 pages of pure
web application security and no vendor marketing in
sight! The document is released under the GNU
documentation license and was a community volunteer
effort. Big kudos to all those involved.
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com.
Full Story (comments: 1)
Ross Anderson has
released version 0.1 of of TCPA / Palladium Frequently Asked Questions.
Ross Anderson is the leader of the
Computer Security Group at the University of Cambridge Computer Laboratory.
His recent paper (available in
PDF format) on security in open vs closed systems was the subject of articles in the
New York Times and
News.com as well
as
last week's Security page.
Full Story (comments: 1)
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does
not
affect Linux.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Details on the vulnerability
are available in the CERT Advisory.
Full Story (comments: none)
Turbolinux, it seems, quietly put out a big
pile of updated RPMs on the
Turbolinux Security Center
in the first half of June.
No advisories, just RPMs.
Although they do not address the current apache or ssh problems,
this is still a welcome sign that TurboLinux may be taking security more seriously.
We expressed concern with the lack of security updates
from TurboLinux back in
January.
Comments (none posted)
Security reports
It is
way past time to upgrade your Apache servers.
A worm which takes advantage of the "chunk handling" vulnerability has been sighted, and its source has been publicly posted.
For a list of distributor alerts,
see the
vulnerability report.
The June 2002 Netcraft Web Server Survey
estimated that as of July 1st there were still "around 14 Million
potentially vulnerable Apache sites."
ZDNet covered the worm with articles on
its
history and
speculation on the potential
for a new wave of network attacks.
Robert Lemos chronicled the mildness of the worm's impact so far
for CNET News.com
in articles published June 28th and July 1st. Capture of the worm in
a honeypot system was reported on
June 28th.
Comments (none posted)
Despite a report to the contrary this week, Jamie McCarthy assures us that
the cross site scripting vulnerability which took down slashdot.org
is
not in the 2.2.5 release, or any other stable release.
"The bug was introduced in CVS on June 17 and was fixed on July 1."
Full Story (comments: none)
Betsie version 1.5.11,
and all versions before, have a cross site scripting vulnerability which
is fixed in
version 1.5.12.
Betsie stands for BBC Education Text to Speech Internet Enhancer, and is a simple Perl script which is intended to alleviate some of the problems experienced by people using text to speech systems for web browsing.
Full Story (comments: none)
Paul Szabo reports a symlink attack vulnerability in Acrobat Reader 5.05.
Acroread uses a file it creates with wide open permissions
(mode 666) in /tmp;
"it also follows
symlinks."
Jarno Huuskonen
reported a similar vulnerabilty in Acrobat Reader 4.05 last week.
Full Story (comments: none)
Script injection vulnerabilities were reported in
Xitami 2.5 Beta
from
iMatix.
Xitami is a high performance portable web server.
Full Story (comments: none)
New vulnerabilities
Apache mod_ssl off-by-one local code execution and DoS vulnerability
| Package(s): | libapache-mod-ssl mod_ssl |
CVE #(s): | CAN-2002-0653
|
| Created: | July 2, 2002 |
Updated: | August 14, 2002 |
| Description: |
Mod-ssl provides strong cryptography for the Apache webserver
via the Secure Sockets Layer (SSL).
A maliciously-crafted .htaccess file, may
be used by an attacker to execute arbitrary
commands as the httpd user or launch a denial of service attack.
The problem is fixed in mod_ssl 2.8.10 which is available
from here.
For more information see the announcement. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache 'chunk handling' vulnerability
| Package(s): | apache |
CVE #(s): | CAN-2002-0392
|
| Created: | June 19, 2002 |
Updated: | July 3, 2002 |
| Description: |
It is past time to upgrade your Apache servers. A worm which takes advantage of the this vulnerability has been sighted, and its source has been publicly posted.
An apache httpd bug related to chunked encoding presents a denial
of service vulnerability. For some platforms,
including both 32-bit and 64-bit Linux, it is also a potential remote exploit vulnerability.
A "carefully crafted invalid request" may be
used to trigger the bug. The problem is fixed in Apache
2.0.39 and 1.3.26, which may be downloaded
from here.
For more information, see the advisories from CERT and the Apache Group.
This vulnerability has been widely publicized. Applying a patch from your vendor or upgrading to the latest version from the Apache Software Foundation is strongly encouraged. Avoid patches from other sources; at least one patch that
does not address the full scope of the problem has been circulated.
|
| Alerts: |
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 21, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in version 9 of BIND
| Package(s): | bind |
CVE #(s): | CAN-2002-0400
|
| Created: | June 5, 2002 |
Updated: | August 19, 2002 |
| Description: |
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
News articles on the vulnerability appear in the
Register
and
Network World Fusion News. |
| Alerts: |
|
Comments (none posted)
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
CAN-2002-0353
CAN-2002-0401
CAN-2002-0402
CAN-2002-0403
CAN-2002-0404
|
| Created: | June 12, 2002 |
Updated: | October 27, 2002 |
| Description: |
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 21, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow problem in glibc
| Package(s): | glibc glibc/shlibs, glibc, nscd |
CVE #(s): | CAN-2001-0886
|
| Created: | May 21, 2002 |
Updated: | July 14, 2002 |
| Description: |
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
|
| Alerts: |
|
Comments (2 posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 21, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | CAN-2002-0388
|
| Created: | June 5, 2002 |
Updated: | August 28, 2002 |
| Description: |
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
|
| Alerts: |
|
Comments (none posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 21, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
Privilege Separated OpenSSH 3.3
| Package(s): | openssh |
CVE #(s): | |
| Created: | June 24, 2002 |
Updated: | June 26, 2002 |
| Description: |
The release of OpenSSH
3.3 includes greatly improved support for privilege separation,
which is now enabled by default.
The process charged with talking to the network; now runs without privilege.
Upgrading is strongly recommended (see below).
Previously any corruption in the sshd could lead to an immediate remote root compromise if it happened before authentication, and to local root compromise if it happend after authentication. Privilege Separation will make such compromise very difficult if not impossible.
Or to put it into the words of Theo de Raadt: "Privilege Separation will one day save our asses." So, turn it on now.
When upgrading with a 2.2.x kernel, disabling compression is recommended
to avoid this bug which causes sshd to log a fatal mmap argument error then crash.
Update:
According to this OpenSSH Security Advisory
OpenSSH 3.3 has a serious privilege escalation vulnerable.
Please see the
new vulnerability report
for more information and a list of available alerts.
|
| Alerts: |
|
Comments (1 posted)
Privilege escalation vulnerability in OpenSSH 2.9.9 through 3.3
| Package(s): | openssh |
CVE #(s): | |
| Created: | June 26, 2002 |
Updated: | July 3, 2002 |
| Description: |
OpenSSH versions 2.9.9 through 3.3 have a
bug in input validation which can lead to
an integer overflow and privilege escalation.
According to the OpenSSH developers:
Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.
The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
Upgrading to
OpenSSH 3.4 is recommended.
See the CERT Advisory and OpenSSH
Security Advisory
for more information including patches for the "pre-authentication problem."
OpenSSH 3.3 users are encouranced to
also read
the previous vulnerability report.
OpenSSH 3.2 and later have the bug in input validation
but prevent the privilege escalation if privilege separation is enabled by setting
UsePrivilegeSeparation in sshd_config.
Version 3.3 was the first release to turn on "privilege separation" by default Essentially, privilege separation works by splitting the ssh server into two cooperating processes. One process is charged with talking to the network; it runs without privilege. The other process sits back, makes decisions, and hands out privileges when it's convinced that is the right thing to do.
CERT Advisory: CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling
|
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 21, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 21, 2002 |
Updated: | October 31, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
|
| Created: | May 21, 2002 |
Updated: | September 17, 2002 |
| Description: |
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
|
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
xchat IC server based dns query vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2002-0382
|
| Created: | June 5, 2002 |
Updated: | September 24, 2002 |
| Description: |
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable. |
| Alerts: |
|
Comments (none posted)
Resources
Linux Journal
explains to Linux newbies how to deal with the latest Apache and OpenSSH security vulnerabilities.
"
If you don't know for sure if your Linux box runs Apache or OpenSSH,
you are at the greatest risk. We do not have space here to
teach you about your package management tool. All we can say is take your
system off the Net, learn how to check what you have installed
and either remove these packages or upgrade them. Many Linux
distributions come with services running "out of the box" and don't
tell users about everything that is present. Do not assume that you're
not running Apache or OpenSSH unless you know for sure how to check."
Comments (none posted)
The
July 1st Linux Security Week
newsletter from LinuxSecurity.com is available.
Comments (none posted)
Events
H2K2 is the next in the line of New York City hacker conferences
organized by volunteers and 2600. Panels of particular interest to this
list might include "Crypto for the Masses," "Databases and Privacy,"
"Educating Lawmakers - Is It Possible?," and "Secure Telephony."
Full Story (comments: none)
| Date | Event | Location |
| July 12 - 14, 2002 | H2K2 "Hacker" conference | New York City |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 19 - 21, 2002 | Canadian Security & Intelligence Conference(CSICON) | (Hyatt Regency)Calgary, Alberta Canada |
| August 28 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Comments (none posted)
Page editor: Dennis Tenney
Next page: Kernel development>>
