|
|
| |
|
| |
Security
Brief items
The Electronic Frontier Foundation has released, to a fair amount of
fanfare, its report on
trusted computing. The report's author (Seth Schoen) has concluded
that, while trusted computing architectures offer a number of security
benefits, there are also potential problems that need to be addressed.
The report mentions four different technologies that make up current
trusted computing efforts:
- Memory curtaining. Modern operating systems already go to
considerable lengths to keep one process from being able to mess with
another process's memory. Memory curtaining takes things further by
improving memory isolation support in the hardware, so that even the
kernel cannot modify one process's memory while working on behalf of
another process.
- Secure I/O is the creation of a data path from the keyboard (or
other input devices) to the application, and from the application to
the screen which cannot be seen or modified by other processes. It is
an attempt to stop software keystroke loggers, screen readers, and
other eavesdropping tools.
- Sealed storage works by hiding encryption keys within the
system hardware, so that encrypted data cannot be read anywhere else.
- Remote attestion is a hardware-supported mechanism for ensuring
that the software running on a system has not been modified. The
technology allows the generation of certificates that can allow a
remote application (a web server, say) to be sure of the software it
is talking to.
The report acknowledges that all of these technologies can help to improve
the security of computer systems. With a trusted computing architecture in
place, a worm which is able to exploit a hole in one program will find its
ability to do anything interesting on the system much reduced. The EFF
does not have any real problem with most of the technologies discussed.
That is not true, however, for remote attestation:
TCG attestation conspicuously fails to distinguish between
applications that protect computer owners against attack and
applications that protect a computer against its owner. In effect,
the computer's owner is sometimes treated as just another attacker
or adversary who must be prevented from breaking in and altering
the computer's software.
A few cases where the remote attestation feature could backfire on users
are mentioned. One is web servers which refuse to talk to anything other
than the One Chosen Browser. There are sites which do that now, but most
modern browsers are capable of masquerading as something else, so these
techniques are not effective. Remote attestion would change that. Other
examples include software interoperability (i.e. eliminating Samba
forevermore), forced upgrades, and forced use of digital rights management
schemes.
As a solution, the EFF suggests an "owner override" feature. The owner of
a system could, while physically present at the machine, force it to
produce an attestation for software that the owner has modified or
replaced, making it look like something else. This feature would solve the
problem for suitably capable users. It is hard to imagine users developing
a widespread ability to safely perform overrides, however.
The real conclusion to be taken from this report is that the owners and
users of computers need to maintain control over their machines.
When your own computer treats you like an attacker, it has ceased to be
truly yours, and it becomes a tool for controlling your behavior. Free
software users have understood this point for years, of course. We have
built a system that allows us to stay in control. But we need to be
careful that the hardware platforms of the future do not take that control
away from us.
Comments (10 posted)
New vulnerabilities
cfengine: stack overflow
| Package(s): | cfengine |
CVE #(s): | |
| Created: | October 8, 2003 |
Updated: | October 8, 2003 |
| Description: |
Versions of cfengine prior to 2.0.8 contain a stack overflow in the network I/O code which can be exploited remotely. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 24, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
autorespond: buffer overflow
| Package(s): | autorespond |
CVE #(s): | CAN-2003-0654
|
| Created: | August 18, 2003 |
Updated: | October 1, 2003 |
| Description: |
Christian Jaeger discovered a buffer overflow in autorespond, an email
autoresponder used with qmail. This vulnerability could potentially
be exploited by a remote attacker to gain the privileges of a user who
has configured qmail to forward messages to autorespond. This
vulnerability is currently not believed to be exploitable due to
incidental limits on the length of the problematic input, but there
may be situations in which these limits do not apply.
CAN-2003-0654 |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
eroaster: insecure temporary file
| Package(s): | eroaster |
CVE #(s): | CAN-2003-0656
|
| Created: | August 19, 2003 |
Updated: | October 1, 2003 |
| Description: |
A vulnerability was discovered in eroaster where it does not take any
security precautions when creating a temporary file for the lockfile. This
vulnerability could be exploited to overwrite arbitrary files with the
privileges of the user running eroaster.
CAN-2003-0656 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
exim: buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2003-0743
|
| Created: | September 5, 2003 |
Updated: | October 1, 2003 |
| Description: |
A buffer overflow exists in exim, which is the standard mail transport
agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.
CAN-2003-0743 |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | October 1, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
freesweep: buffer overflow
| Package(s): | freesweep |
CVE #(s): | CAN-2003-0828
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
freesweep contains a buffer overflow vulnerability which may be exploited by a local user to obtain access to the "games" group. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 16, 2003 |
Updated: | November 18, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb |
CVE #(s): | CAN-2003-0686
|
| Created: | August 26, 2003 |
Updated: | October 1, 2003 |
| Description: |
libpam-smb is a PAM authentication module which makes it possible to
authenticate users against a password database managed by Samba or a
Microsoft Windows server. If a long password is supplied, this can cause a
buffer overflow which could be exploited to execute arbitrary code with the
privileges of the process which invokes PAM services. See this advisory for more information.
CAN-2003-0686 |
| Alerts: |
|
Comments (1 posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lsh: remotely exploitable buffer overflow
| Package(s): | lsh |
CVE #(s): | CAN-2003-0831
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
lsh (an ssh implementation) 1.5.2 and prior has a remotely exploitable buffer overflow vulnerability; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
marbles: buffer overflow
| Package(s): | marbles |
CVE #(s): | CAN-2003-0830
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
The 'marbles' game contains a buffer overflow in its processing of the HOME environment variable. A local user can exploit this vulnerability to obtain access to the "games" group. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mindi: insecure file creations
| Package(s): | mindi |
CVE #(s): | CAN-2003-0617
|
| Created: | September 2, 2003 |
Updated: | October 1, 2003 |
| Description: |
Mindi versions prior to 0.86 creates files in /tmp which could allow local
user to overwrite arbitrary files.
CAN-2003-0617 |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
mysql: arbitrary code execution
| Package(s): | mysql |
CVE #(s): | CAN-2003-0780
|
| Created: | September 15, 2003 |
Updated: | October 9, 2003 |
| Description: |
Frank Denis
reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and
earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users
are stored in the "Password" field of the "User" table, part of the "mysql"
database. The passwords are hashed and stored as a 16 characters long
hexadecimal value. Unfortunately, a function involved in password checking
misses correct bounds checking. By filling a "Password" field a value
wider than 16 characters, a buffer overflow will occur. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0780 to the problem. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netris: buffer overflow
| Package(s): | netris |
CVE #(s): | CAN-2003-0685
|
| Created: | August 18, 2003 |
Updated: | October 1, 2003 |
| Description: |
Shaun Colley discovered a buffer overflow vulnerability in netris, a
network version of a popular puzzle game. A netris client connecting
to an untrusted netris server could be sent an unusually long data
packet, which would be copied into a fixed-length buffer without
bounds checking. This vulnerability could be exploited to gain the
priviliges of the user running netris in client mode, if they connect
to a hostile netris server.
CAN-2003-0685 |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1
and 3.7.1p1
| Package(s): | openssh |
CVE #(s): | |
| Created: | September 23, 2003 |
Updated: | October 1, 2003 |
| Description: |
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs is remotely
exploitable (under a non-standard configuration, with privsep disabled).
See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSH: buffer management error
| Package(s): | OpenSSH |
CVE #(s): | CAN-2003-0693
|
| Created: | September 16, 2003 |
Updated: | October 1, 2003 |
| Description: |
All versions of
OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is
uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete.
See the second advisory for details.
CAN-2003-0693 |
| Alerts: |
|
Comments (none posted)
openssl: vulnerabilities in ASN.1 code
| Package(s): | openssl |
CVE #(s): | CAN-2003-0543
CAN-2003-0544
CAN-2003-0545
|
| Created: | September 30, 2003 |
Updated: | November 4, 2003 |
| Description: |
Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate
problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and
all versions of SSLeay.
An attack against other applications that use OpenSSL could result in a
Denial of Service. See
CAN-2003-0543 and
CAN-2003-0544.
It may be possible for an attacker to exploit this issue to execute
arbitrary code. See
CAN-2003-0545.
CERT has an updated OpenSSL advisory
identifying additional OpenSSL vulnerabilities. |
| Alerts: |
|
Comments (none posted)
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2003-0672
|
| Created: | August 11, 2003 |
Updated: | October 1, 2003 |
| Description: |
Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the
username to be used for authentication is used as a format string when
writing a log message. This vulnerability may allow an attacker to
execute arbitrary code with the privileges of the program requesting
PAM authentication.
CAN-2003-0672 |
| Alerts: |
|
Comments (none posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | October 1, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
proftpd: remote root shell
| Package(s): | proftpd |
CVE #(s): | CAN-2003-0831
|
| Created: | September 24, 2003 |
Updated: | January 2, 2004 |
| Description: |
The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
semi: insecure temporary file
| Package(s): | semi, wemi |
CVE #(s): | CAN-2003-0440
|
| Created: | July 7, 2003 |
Updated: | October 1, 2003 |
| Description: |
semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug.
CAN-2003-0440 |
| Alerts: |
|
Comments (none posted)
sendmail: bad DNS reply causes crash
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0688
|
| Created: | August 26, 2003 |
Updated: | October 1, 2003 |
| Description: |
There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x
versions with respect to DNS maps. The bug did not exist in versions before
8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9,
released March 29, 2003. See this advisory for more
information.
CAN-2003-0688 |
| Alerts: |
|
Comments (none posted)
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0694
CAN-2003-0681
|
| Created: | September 17, 2003 |
Updated: | November 18, 2003 |
| Description: |
Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
Comments (none posted)
sup: insecure temporary file
| Package(s): | sup |
CVE #(s): | CAN-2003-0606
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
sup, a package used to maintain collections of files in identical
versions across machines, fails to take appropriate security
precautions when creating temporary files. A local attacker could
exploit this vulnerability to overwrite arbitrary files with the
privileges of the user running sup.
CAN-2003-0606 |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
teapop: SQL injection
| Package(s): | teapop |
CVE #(s): | CAN-2003-0515
|
| Created: | July 9, 2003 |
Updated: | October 1, 2003 |
| Description: |
teapop, a POP-3 server, includes modules for authenticating users
against a PostgreSQL or MySQL database. These modules do not properly
escape user-supplied strings before using them in SQL queries. This
vulnerability could be exploited to execute arbitrary SQL under the
privileges of the database user as which teapop has authenticated.
CAN-2003-0515 |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
unzip: directory traversal vulnerability
| Package(s): | unzip |
CVE #(s): | CAN-2003-0282
|
| Created: | July 1, 2003 |
Updated: | November 13, 2003 |
| Description: |
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
vixie-cron: Local vulnerability
| Package(s): | vixie-cron |
CVE #(s): | CVE-2001-0559
|
| Created: | April 17, 2003 |
Updated: | October 3, 2003 |
| Description: |
From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in
LWN on the May 10,
2001 security page. |
| Alerts: |
|
Comments (none posted)
webfs: buffer overflows, file and directory exposure
| Package(s): | webfs |
CVE #(s): | CAN-2003-0832
CAN-2003-0833
|
| Created: | September 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP
server for static content.
CAN-2003-0832 - When virtual hosting is enabled, a remote client could
specify ".." as the hostname in a request, allowing retrieval of directory
listings or files above the document root.
CAN-2003-0833 - A long pathname could overflow a buffer allocated on
the stack, allowing execution of arbitrary code. In order to exploit this
vulnerability, it would be necessary to be able to create directories on
the server in a location which could be accessed by the web server. In
conjunction with CAN-2003-0832, this could be a world-writable directory
such as /var/tmp. |
| Alerts: |
|
Comments (none posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
wget: buffer overflow
| Package(s): | wget |
CVE #(s): | CAN-2003-1565
|
| Created: | August 5, 2003 |
Updated: | December 10, 2003 |
| Description: |
The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. |
| Alerts: |
|
Comments (1 posted)
wu-ftpd: off-by-one bug
| Package(s): | wu-ftpd |
CVE #(s): | CAN-2003-0466
|
| Created: | July 31, 2003 |
Updated: | October 5, 2003 |
| Description: |
An off-by-one bug has been discovered in versions of wu-ftpd up to and
including 2.6.2. On a vulnerable system, a remote attacker would be able
to exploit this bug to gain root privileges. See this advisory for more details. |
| Alerts: |
|
Comments (none posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 |
CVE #(s): | CAN-2003-0730
|
| Created: | September 12, 2003 |
Updated: | November 25, 2003 |
| Description: |
Several vulnerabilities were discovered by blexim(at)hush.com in the font
libraries of XFree86 version 4.3.0 and earlier. These bugs could
potentially lead to execution of arbitrary code or a DoS by a remote user
in any way that calls these functions, which are related to the transfer
and enumeration of fonts from font servers to clients. See the
advisory for additional details.
|
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 13, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
zblast: buffer overflow
| Package(s): | zblast |
CVE #(s): | CAN-2003-0613
|
| Created: | August 11, 2003 |
Updated: | October 1, 2003 |
| Description: |
Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving
the high score file. This vulnerability could be exploited by a local
user to gain gid 'games', if they can achieve a high score.
CAN-2003-0613 |
| Alerts: |
|
Comments (1 posted)
Resources
John A. Halderman has analyzed the "CD3" copy protection system for audio
CDs and posted his
results. It seems that this technology works by loading a special
driver via the Windows autorun feature; the driver interferes with read
operations, thus thwarting copy attempts. But only if the driver is
actually loaded. " MediaMax's protections are ineffective because the
driver program can easily be disabled or, depending on the system
configuration, it might never be installed to begin with. As a result,
audio content is vulnerable to copying in virtually 100% of deployed
systems.... Computers running Linux or Mac OS 9 can't run the MediaMax
software at all, so they can always copy the recording." Sometimes
the lack of Linux support is a good thing.
Comments (21 posted)
This week's Linux Advisory Watch and Linux Security Week newsletters from
LinuxSecurity.com are available.
Comments (none posted)
Events
The 13th Annual EICAR Conference will be held at the Hilton Luxembourg in
Luxemburg City from May 1 to 4, 2004. " Participants can expect a variety of academic and leading edge technical
presentations from around the world, with an emphasis not only on technical
aspects of IT-security, but also the legal and social issues rapidly
becoming the new thorn in everyone's collective side." The call for
papers has gone out, with a submission deadline of January 15.
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|