|
|
Subscribe / Log in / New account

Security

Brief items

A bad week

As a quick perusal of this week's "new vulnerabilities" section will confirm, this has not been a good week for the security of Linux systems. New holes have turned up in KDE, MySQL, OpenSSH (twice), pine, sendmail, XFree86, and more. Almost every Linux system out there will be affected by at least one of these problems.

The OpenSSH and sendmail vulnerabilities are of particular concern. Almost every system of interest runs OpenSSH, and vast portions of the net still run sendmail. Any vulnerability in those programs automatically opens up large numbers of systems to exploitation. These are the sorts of problems that will, someday, be used for the creation of a virulent worm which attacks Linux systems. If we are lucky, no such event will strike us this time around, but let there be no doubt about it: as long as software which is so widely deployed has remotely exploitable holes, we are vulnerable to that sort of mass attack.

Now that the obligatory scary talk is done, let's take a look at the better news here. It is not clear that the bugs in either OpenSSH or sendmail are exploitable in any large-scale way. Even if they are, once again the problems have been found first by the good guys and fixes have been made quickly available by the Linux distributors. The patches being released are small and relatively non-disruptive; administrators can apply them quickly and with confidence. So most systems will be patched in a relatively short period of time. These vulnerabilities were a scary warning, but it does not appear that there will be any great consequences this time around.

Nonetheless, this episode is a warning. Our security, while arguably better than that of the competition, is nowhere near good enough. We are still encountering bugs in crucial, highly-audited code; one can only imagine what lurks in programs which get less attention. And the network environment we are creating is still too monocultural. The network as a whole will be safer when there are multiple, interoperable programs capable of performing the basic infrastructural tasks.

Comments (11 posted)

New vulnerabilities

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Mandrake MDKSA-2003:118 XFree86 2003-12-19
Gentoo 200311-01 kde-base/kdebase 2003-11-15
Debian DSA-388-1 kdebase 2003-09-19
Conectiva CLA-2003:747 kde 2003-09-19
Mandrake MDKSA-2003:091 kdebase 2003-09-16
Red Hat RHSA-2003:269-01 kde 2003-09-16

Comments (none posted)

mysql: arbitrary code execution

Package(s):mysql CVE #(s):CAN-2003-0780
Created:September 15, 2003 Updated:October 9, 2003
Description: Frank Denis reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 to the problem.
Alerts:
Red Hat RHSA-2003:281-01 mysql 2003-10-09
SuSE SuSE-SA:2003:042 mysql 2003-10-01
Mandrake MDKSA-2003:094 MySQL 2003-09-18
Conectiva CLA-2003:743 MySQL 2003-09-18
EnGarde ESA-20030918-025 mysql 2003-09-18
Trustix 2003-0034 mysql 2003-09-17
Gentoo 200309-08 mysql 2003-09-15
OpenPKG OpenPKG-SA-2003.038 mysql 2003-09-15
Debian DSA-381-1 mysql 2003-09-13

Comments (none posted)

OpenSSH: buffer management error

Package(s):OpenSSH CVE #(s):CAN-2003-0693
Created:September 16, 2003 Updated:October 1, 2003
Description: All versions of OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete. See the second advisory for details.

CAN-2003-0693

Alerts:
SCO Group CSSA-2003-027.0 openssh 2003-10-02
Debian DSA-383-2 ssh-krb5 2003-09-21
Debian DSA-382-3 ssh 2003-09-21
SuSE SuSE-SA:2003:039 openssh 2003-09-18
EnGarde ESA-20030918-024 openssh 2003-09-18
Yellow Dog YDU-20030917-1 openssh 2003-09-17
Conectiva CLA-2003:741 openssh 2003-09-17
Debian DSA-383-1 ssh-krb5 2003-09-17
Sorcerer SORCERER2003-09-17 openssh 2003-09-17
Slackware SSA:2003-260-01 openssh 2003-09-17
Red Hat RHSA-2003:279-02 openssh 2003-09-17
Mandrake MDKSA-2003:090-1 openssh 2003-09-17
Trustix 2003-0033 openssh 2003-09-17
OpenPKG OpenPKG-SA-2003.040 openssh 2003-09-17
Immunix IMNX-2003-7+-020-02 openssh 2003-09-16
Gentoo 200309-12 openssh 2003-09-16
Debian DSA-382-2 ssh 2003-09-17
SuSE SuSE-SA:2003:038 openssh 2003-09-16
Slackware SSA:2003-259-01 openssh 2003-09-16
Mandrake MDKSA-2003:090 openssh 2003-09-16
Immunix IMNX-2003-7+-020-01 openssh 2003-09-16
Debian DSA-382-1 ssh 2003-09-16
Red Hat RHSA-2003:279-01 openssh 2003-09-16
EnGarde ESA-20030916-023 openssh 2003-09-16
Conectiva CLA-2003:739 openssh 2003-09-16

Comments (none posted)

pine: remote exploits

Package(s):pine CVE #(s):CAN-2003-0720 CAN-2003-0721
Created:September 11, 2003 Updated:September 17, 2003
Description: Pine, developed at the University of Washington, is a tool for reading, sending, and managing electronic messages (including mail and news).

A buffer overflow exists in the way unpatched versions of Pine prior to 4.57 handle the 'message/external-body' type. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0720 to this issue.

An integer overflow exists in the Pine MIME header parsing in versions prior to 4.57. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0721 to this issue.

Both of these flaws could be exploited by a remote attacker sending a carefully crafted email to the victim that will execute arbitrary code when the email is opened using Pine.

Alerts:
Gentoo 200309-10 net-mail/pine 2003-09-16
Conectiva CLA-2003:738 pine 2003-09-12
Slackware SSA:2003-253-01 pine 2003-09-10
EnGarde ESA-20030911-022 pine 2003-09-11
SuSE SuSE-SA:2003:037 pine 2003-09-11
Red Hat RHSA-2003:273-01 pine 2003-09-11

Comments (1 posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 saned 2004-02-19
SuSE SuSE-SA:2003:046 sane 2003-11-18
Conectiva CLA-2003:769 sane 2003-10-22
Mandrake MDKSA-2003:099 sane 2003-10-09
Red Hat RHSA-2003:278-01 sane 2003-10-07
Debian DSA-379-1 sane-backends 2003-09-11

Comments (none posted)

sendmail: remotely exploitable buffer overflow

Package(s):sendmail CVE #(s):CAN-2003-0694 CAN-2003-0681
Created:September 17, 2003 Updated:November 18, 2003
Description: Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix.
Alerts:
SCO Group CSSA-2003-036.0 sendmail 2003-11-17
SuSE SuSE-SA:2003:040 sendmail 2003-09-20
OpenPKG OpenPKG-SA-2003.041 sendmail 2003-09-19
Conectiva CLA-2003:742 sendmail 2003-09-18
Yellow Dog YDU-20030917-2 sendmail 2003-09-17
Immunix IMNX-2003-7+-021-01 sendmail 2003-09-17
Mandrake MDKSA-2003:092 sendmail 2003-09-17
Debian DSA-384-1 sendmail 2003-09-17
Red Hat RHSA-2003:283-01 sendmail 2003-09-17
Slackware SSA:2003-260-02 sendmail 2003-09-17
Gentoo 200309-13 sendmail 2003-09-17

Comments (none posted)

XFree86 4.3.0 integer overflows in font libraries

Package(s):XFree86 CVE #(s):CAN-2003-0730
Created:September 12, 2003 Updated:November 25, 2003
Description: Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details.
Alerts:
Red Hat RHSA-2003:286-01 XFree86 2003-11-25
Red Hat RHSA-2003:287-01 XFree86 2003-11-25
Red Hat RHSA-2003:288-01 xfree86 2003-11-17
Debian DSA-380-1 xfree86 2003-09-12
Mandrake MDKSA-2003:089 XFree86 2003-09-11

Comments (none posted)

Resources

CRYPTO-GRAM newsletter

Bruce Schneier's CRYPTO-GRAM newsletter for September is out. This month's topics include accidents and security incidents (in particular the northeast blackout), reactions to his new book Beyond Fear, licensing computer users, prohibiting hats in banks, California's security breach disclosure law, and benevolent worms. "Experimentation, most of it involuntary, proves that worms are very hard to debug successfully: in other words, once worms starts spreading it's hard to predict exactly what they will do. Some viruses were written to propagate harmlessly, but did damage -- ranging from crashed machines to clogged networks -- because of bugs in their code. Many worms were written to do damage and turned out to be harmless (which is even more revealing)."

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds