Brief items
As a quick perusal of this week's "new vulnerabilities" section will
confirm, this has not been a good week for the security of Linux systems.
New holes have turned up in KDE, MySQL, OpenSSH (twice), pine, sendmail,
XFree86, and more. Almost every Linux system out there will be affected by
at least one of these problems.
The OpenSSH and sendmail vulnerabilities are of particular concern. Almost
every system of interest runs OpenSSH, and vast portions of the net still
run sendmail. Any vulnerability in those programs automatically opens up
large numbers of systems to exploitation. These are the sorts of problems
that will, someday, be used for the creation of a virulent worm
which attacks Linux systems. If we are lucky, no such event will strike us
this time around, but let there be no doubt about it: as long as software
which is so widely deployed has remotely exploitable holes, we are
vulnerable to that sort of mass attack.
Now that the obligatory scary talk is done, let's take a look at the better
news here. It is not clear that the bugs in either OpenSSH or sendmail are
exploitable in any large-scale way. Even if they are, once again the problems
have been found first by the good guys and fixes have been made quickly
available by the Linux distributors. The patches being released are small
and relatively non-disruptive; administrators can apply them quickly and
with confidence. So most systems will be patched in a relatively short
period of time. These vulnerabilities were a scary warning, but it does
not appear that there will be any great consequences this time around.
Nonetheless, this episode is a warning. Our security, while arguably
better than that of the competition, is nowhere near good enough. We are
still encountering bugs in crucial, highly-audited code; one can only
imagine what lurks in programs which get less attention. And the network
environment we are creating is still too monocultural. The network as a
whole will be safer when there are multiple, interoperable programs capable
of performing the basic infrastructural tasks.
Comments (11 posted)
New vulnerabilities
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
mysql: arbitrary code execution
| Package(s): | mysql |
CVE #(s): | CAN-2003-0780
|
| Created: | September 15, 2003 |
Updated: | October 9, 2003 |
| Description: |
Frank Denis
reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and
earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users
are stored in the "Password" field of the "User" table, part of the "mysql"
database. The passwords are hashed and stored as a 16 characters long
hexadecimal value. Unfortunately, a function involved in password checking
misses correct bounds checking. By filling a "Password" field a value
wider than 16 characters, a buffer overflow will occur. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0780 to the problem. |
| Alerts: |
|
Comments (none posted)
OpenSSH: buffer management error
| Package(s): | OpenSSH |
CVE #(s): | CAN-2003-0693
|
| Created: | September 16, 2003 |
Updated: | October 1, 2003 |
| Description: |
All versions of
OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is
uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete.
See the second advisory for details.
CAN-2003-0693 |
| Alerts: |
|
Comments (none posted)
pine: remote exploits
| Package(s): | pine |
CVE #(s): | CAN-2003-0720
CAN-2003-0721
|
| Created: | September 11, 2003 |
Updated: | September 17, 2003 |
| Description: |
Pine, developed at the University of Washington, is a tool for reading,
sending, and managing electronic messages (including mail and news).
A buffer overflow exists in the way unpatched versions of Pine prior to
4.57 handle the 'message/external-body' type. The Common Vulnerabilities
and Exposures project has assigned the name
CAN-2003-0720 to this issue.
An integer overflow exists in the Pine MIME header parsing in versions
prior to 4.57. The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2003-0721 to this issue.
Both of these flaws could be exploited by a remote attacker sending a
carefully crafted email to the victim that will execute arbitrary code when
the email is opened using Pine. |
| Alerts: |
|
Comments (1 posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0694
CAN-2003-0681
|
| Created: | September 17, 2003 |
Updated: | November 18, 2003 |
| Description: |
Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. |
| Alerts: |
|
Comments (none posted)
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 |
CVE #(s): | CAN-2003-0730
|
| Created: | September 12, 2003 |
Updated: | November 25, 2003 |
| Description: |
Several vulnerabilities were discovered by blexim(at)hush.com in the font
libraries of XFree86 version 4.3.0 and earlier. These bugs could
potentially lead to execution of arbitrary code or a DoS by a remote user
in any way that calls these functions, which are related to the transfer
and enumeration of fonts from font servers to clients. See the
advisory for additional details.
|
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for September is out. This month's
topics include
accidents and security incidents (in particular the northeast blackout),
reactions to his new book
Beyond Fear,
licensing computer users,
prohibiting hats in banks,
California's security breach disclosure law,
and benevolent worms.
"
Experimentation, most of it involuntary, proves that worms are
very hard to debug successfully: in other words, once worms starts
spreading it's hard to predict exactly what they will do. Some viruses
were written to propagate harmlessly, but did damage -- ranging from
crashed machines to clogged networks -- because of bugs in their
code. Many worms were written to do damage and turned out to be
harmless (which is even more revealing).
"
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
