Readers of LWN know that we have long been a fan of SpamAssassin. Your editor, whose
personal spam load is approaching 500 messages per day, would long have
ceased to function without it. Network life in the 21st century requires
either a well-hidden email address, or some sort of effective filtering.
SpamAssassin's extensive arsenal of tests has
traditionally included checks for legitimate mail. In the past, mail which
identified itself as having been created with certain free email agents or
which contained a software patch was given some extra credit in the scoring
process. Spammers have often found and exploited those tests; for a while,
some of us were receiving mail which had been simultaneously "created" with
mutt and evolution. The usual response to such activity has been to remove
the tests in question.
Most recently, some spammers have started adding fake PGP signatures (in
full HTML glory) to their output, in the hopes of slipping past
SpamAssassin. The PGP signature test was removed some time ago, but the
exploit was still enough to inspire this News.com article
which, among other things, says:
The attack on the software's filtering process highlights the
dangers of open-source projects, but it also reinforces the ability
of projects with active development teams to quickly respond to
such security holes.
The open nature of SpamAssassin's filtering is, thus, a "danger." Lest one
become too concerned about the "dangers" involved in using SpamAssassin,
however, there are a few things which should be kept in mind:
Prospective spam can be tested against any filter, open or closed.
It would be surprising if spammers were not trying their products
against SpamAssassin in this way. They also, most likely, maintain
accounts with large ISPs and try to craft messages that get past the
filters those ISPs employ as well.
SpamAssassin remains highly effective, even when spammers have had
plenty of time to study its tests and work out ways to get around it.
Open or not, SpamAssassin's rules are very good at identifying spam,
and they appear to be hard to get around. Fighting spam is an arms
race; it is surprising, actually, how rarely one has to upgrade
SpamAssassin to keep it effective.
The bayesian filtering techniques used by SpamAssassin (and many other
spam filtering systems) cannot be worked around in any easy way. A
quick test on about 6400 messages which had accumulated in your
editor's spam folder shows that the bayesian filter is the decisive
test which condemns 15-25% of all incoming spam. Bayesian filters are
highly individualized, and they are inaccessible to spammers. The
algorithm is entirely open, but that is little comfort to those who
would bury us in unwanted trash.
The real lesson from the PGP signature "exploit," most likely, is that
negative tests will always be relatively easy for spammers to abuse. That
will be why SpamAssassin 2.60 contains almost none of these tests.
The most important point, however, is entirely different. For many of us,
email is a vital connection to the world. It is natural to be concerned
about trusting a program to filter our incoming mail for us; mistakes can
have real consequences. Would you really want to trust your mail to a
hidden, proprietary filtering scheme? Don't you want to know what
assumptions and biases have gone into the filtering decisions? Or, at
least, don't you want that information to be available to those with the
time and interest to check it out?
Allowing a black box to pass
judgment on one's incoming mail stream poses more dangers than an open,
free system ever could.
The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun.
Aldrin Martoq has discovered a denial of service (DoS) vulnerability in
Apache Tomcat 4.0.x. Sending several non-HTTP requests to Tomcat's HTTP
connector makes Tomcat reject further requests on this port until it is
restarted.
Several security issues have been discovered affecting the Linux kernel:
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details.
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file."
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details.
Frank Denis
reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and
earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users
are stored in the "Password" field of the "User" table, part of the "mysql"
database. The passwords are hashed and stored as a 16 characters long
hexadecimal value. Unfortunately, a function involved in password checking
misses correct bounds checking. By filling a "Password" field a value
wider than 16 characters, a buffer overflow will occur. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0780 to the problem.
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate
problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and
all versions of SSLeay.
An attack against other applications that use OpenSSL could result in a
Denial of Service. See
CAN-2003-0543 and
CAN-2003-0544.
It may be possible for an attacker to exploit this issue to execute
arbitrary code. See
CAN-2003-0545.
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08.
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix.
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information.
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed.
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges.
Several vulnerabilities were discovered by blexim(at)hush.com in the font
libraries of XFree86 version 4.3.0 and earlier. These bugs could
potentially lead to execution of arbitrary code or a DoS by a remote user
in any way that calls these functions, which are related to the transfer
and enumeration of fonts from font servers to clients. See the
advisory for additional details.
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues.
Bruce Schneier's CRYPTO-GRAM newsletter for October is out. This month's
topics include
the future of surveillance,
the expanding use of the "Patriot" act,
pirating movies,
identity cards,
and the security risks of monocultures.
"The upshot of this is that you should consider the possibility, albeit
remote, that you are being observed whenever you're out in
public. Assume that all public Internet terminals are being
eavesdropped on; either don't use them or don't care. Assume that
cameras are watching and recording you as you walk down the
street. (In some cities, they probably are.) Assume that surveillance
technologies that were science fiction ten years ago are now
mass-market."
CERT has adopted a new PGP key which will be used in its outgoing email. See the announcement for details on how to get the new key. Apparently the passphrase for the previous key was spread a little more widely than CERT had intended.
The 16th Forum of Incident Response and Security Teams (FIRST) will be held
June 13 to 18 in Budapest, Hungary. The call for papers is out
now, with a submission deadline of December 1.
