|
|
| |
|
| |
Security
Brief items
November 12, 2003
This article was contributed by Jake Edge.
An open approach was used in the first ever security certification for Linux,
as befits the open source nature of the operating system. IBM and SuSE
teamed up to certify SuSE Linux Enterprise Server 8 (SLES 8) on IBM eServer
xSeries hardware and achieved
Common
Criteria Evaluation Assurance Level 2+ (EAL2+) in July. Much of
the documentation that was done to accomplish this is available from the
SuSE and
IBM Linux
Technology Center web sites.
"This very open approach is unusual for a certification," according to Klaus
Weidner, senior IT security consultant for
atsec, the German firm responsible for
the evaluation. "The overall effort for another distribution is significantly
lower if they re-use the material that has been released to the Open Source
community from the evaluation of SLES 8," he said. The material that
has been released includes a high-level design, a security guide,
the security target,
test plans, and the certification report. In addition, bugs found during
the process have been fixed and the resulting patches fed back to the
developers for inclusion in upcoming
releases.
Common Criteria security certification consists of two elements: the
"security target" (or "protection profile") that specifies the security
features of the product to be evaluated and the "assurance level" which
provides a level of confidence that the security functions perform as
documented. For the EAL2 certification, the security target was created by
IBM and SuSE. The evaluation process looked at SuSE's "configuration
management, acceptance procedures and development security," Weidner said,
and SuSE was "found to meet and exceed all requirements for this
evaluation." A few bugs were found in the testing process, particularly in
PAM authentication, and they were fixed and funneled back to the
development community.
Looking forward, the evaluation and testing for an EAL3 certification is
currently under way using the Controlled
Access Protection Profile (PDF format) (CAPP), which is a standardized
security target created by the NSA. CAPP is the target that was used by
Microsoft to achieve an EAL4 certification for Windows 2000. These
certifications are widely seen by companies and government agencies as a
seal of approval for the security functions of a product.
The main areas that need work for the EAL3 certification are adding an
auditing subsystem and documenting what Weidner called "security-relevant
subsystem interfaces". As part of that process, any undocumented Linux
system calls need to have man pages written for them; the
resulting pages
will, of course, be provided back to the Linux community. The audit
subsystem has been completed and is undergoing tests, the kernel portion is
based on the systrace
patch along with a set of user-space utilities that were developed by
IBM and SuSE. These too will be open source.
EAL4 certification (should IBM and SuSE take that step) will require
even more documentation, including internal interfaces inside the kernel.
"Kernel hackers may be happy with using the source code as a reference, but
EAL4 requires a descriptive low-level design document," Weidner said.
This effort would be huge and it is not known whether it will be done, but
it would obviously serve as a great reference to kernel internals.
One of the bigger questions surrounding these certifications is what they
really mean for the security of the system. Unfortunately, the answer
seems to be: not much. Professor Jonathan Shapiro of Johns Hopkins
University has an analysis of the
Windows 2000 EAL4 certification and much of what he says can be applied to
the EAL2 (and presumably upcoming EAL3) certification of SLES 8.
In summary the CAPP (and the target used for EAL2) both define away most of
the "real world" security problems that operating systems face. From the
CAPP document:
The CAPP provides for a level of protection which is appropriate
for an assumed non-hostile and well-managed user community
requiring protection against threats of inadvertent or casual
attempts to breach the system security. The profile is not intended
to be applicable to circumstances in which protection is required
against determined attempts by hostile and well funded attackers to
breach system security.
which Shapiro translates into:
Don't hook this to the internet, don't run email, don't install software
unless you can 100% trust the developer, and if anybody who works for
you turns out to be out to get you you are toast.
While CAPP is the "standard", it really does not provide requirements that
would make a system secure from the biggest security threats that exist
today. It seems somewhat unlikely that the cracker community is
particularly well funded, but they certainly are hostile, clever, and
persistent. Given the volume of exploits against the CAPP/EAL4 certified
Windows 2000, it seems clear that certification is mostly
a marketing bullet point to make purchasers more comfortable without
actually providing a secure system.
Comments (5 posted)
Some users of the Fedora Core 1 release have noted that it contains at
least one package (ethereal) with a known vulnerability and have asked when
security updates will become available. The response
from Red Hat is:
With the switch to Fedora, we have to rejigger some of the
infrastructure in pushing updates. This has hit a few delay snags,
we hope to get things straightened out soon.
The first update (for EPIC) has found its way to the
download directory, and the ethereal update is in the
testing directory. Announcements will go to the
fedora-announce list soon. Fedora Core is a new distribution, and some
of the mechanisms are still going into place, but it should all be there
before too long.
Comments (none posted)
New vulnerabilities
conquest: buffer overflow
| Package(s): | conquest |
CVE #(s): | CAN-2003-0933
|
| Created: | November 10, 2003 |
Updated: | November 13, 2003 |
| Description: |
Steve Kemp discovered a buffer overflow in the environment variable
handling of conquest, a curses based, real-time, multi-player space
warfare game, which could lead a local attacker to gain unauthorized
access to the group conquest. |
| Alerts: |
|
Comments (none posted)
epic4: buffer overflow
| Package(s): | epic4 |
CVE #(s): | CAN-2003-0328
|
| Created: | November 10, 2003 |
Updated: | November 25, 2003 |
| Description: |
Jeremy Nelson discovered a remotely exploitable buffer overflow in
EPIC4, a popular client for Internet Relay Chat (IRC). A malicious
server could craft a reply which triggers the client to allocate a
negative amount of memory. This could lead to a denial of service if
the client only crashes, but may also lead to executing of arbitrary
code under the user id of the chatting user. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple remote and local vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0925
CAN-2003-0926
CAN-2003-0927
|
| Created: | November 10, 2003 |
Updated: | December 17, 2003 |
| Description: |
Multiple vulnerabilities have been found in
ethereal versions below 0.9.16. Remote attackers can craft
packets, and local users can build corrupt trace files,
resulting denial of service and remote code execution. |
| Alerts: |
|
Comments (none posted)
hylafax: remote code execution
| Package(s): | hylafax |
CVE #(s): | CAN-2003-0886
|
| Created: | November 10, 2003 |
Updated: | November 20, 2003 |
| Description: |
Hylafax is an Open Source fax server
which allows sharing of fax equipment among computers by offering its
service to clients by a protocol similar to FTP. The SuSE Security Team
found a format bug condition during a code review of the hfaxd server. It
allows remote attackers to execute arbitrary code as root. However, the bug
can not be triggered in hylafax's default configuration. The
"capi4hylafax" packages also need to be updated as a dependency where they
are available. Upgrading to version 4.1.8 fixes the problem; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg123: heap overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0865
|
| Created: | November 12, 2003 |
Updated: | February 19, 2004 |
| Description: |
Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
omega-rpg: buffer overlow
| Package(s): | omega-rpg |
CVE #(s): | CAN-2003-0932
|
| Created: | November 11, 2003 |
Updated: | November 13, 2003 |
| Description: |
Steve Kemp discovered a buffer overflow in the commandline and environment
variable handling of omega-rpg, a text-based rogue-style game of dungeon
exploration, which could lead a local attacker to gain unauthorized access
to the group games. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 24, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache |
CVE #(s): | CAN-2003-0542
CAN-2003-0789
|
| Created: | October 28, 2003 |
Updated: | February 13, 2004 |
| Description: |
André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's
mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
CAN-2003-0789. |
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | |
| Created: | November 5, 2003 |
Updated: | November 5, 2003 |
| Description: |
Several new vulnerabilities have been found in bugzilla; these include a pair of SQL injection bugs (usually only exploitable by privileged users) and some information leaks. See this advisory for details; upgrading to versions 2.16.4 or 2.17.5 fixes the problems. |
| Alerts: |
|
Comments (1 posted)
CUPS: denial of service
| Package(s): | CUPS |
CVE #(s): | CAN-2003-0788
|
| Created: | November 3, 2003 |
Updated: | March 4, 2004 |
| Description: |
Paul Mitcheson reported a situation where the CUPS Internet Printing
Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get
into a busy loop. This could result in a denial of service. In order to
exploit this bug an attacker would need to have the ability to make a TCP
connection to the IPP port (by default 631).
|
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 17, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils |
CVE #(s): | CAN-2003-0854
|
| Created: | October 22, 2003 |
Updated: | March 2, 2004 |
| Description: |
There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
glibc - buffer overflow
| Package(s): | glibc |
CVE #(s): | CAN-2003-0689
|
| Created: | October 15, 2003 |
Updated: | November 25, 2003 |
| Description: |
The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 16, 2003 |
Updated: | November 18, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libnids: remotely exploitable buffer overflow
| Package(s): | libnids |
CVE #(s): | CAN-2003-0850
|
| Created: | October 29, 2003 |
Updated: | January 6, 2004 |
| Description: |
libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
postgresql: remote code execution
| Package(s): | postgresql |
CVE #(s): | CAN-2003-0901
|
| Created: | October 31, 2003 |
Updated: | November 17, 2003 |
| Description: |
Two bugs leading to a buffer overflow in the PostgreSQL RDBMS, versions 7.2.x and
7.3.x prior to 7.3.4, were discovered. The vulnerability exists in the
PostgreSQL abstract data type (ADT) to ASCII conversion functions.
It has been conjectured that excessive data passed to the involved
to_ascii_xxx() functions may overrun the bounds of an insufficient buffer
reserved in heap memory, resulting in the corruption of heap based memory
management structures that are adjacent to it. It is currently believed
that under the correct circumstances an attacker may use this to execute
arbitrary instructions in the context of the PostgreSQL server.
The Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0901 to the problem. |
| Alerts: |
|
Comments (none posted)
proftpd: remote root shell
| Package(s): | proftpd |
CVE #(s): | CAN-2003-0831
|
| Created: | September 24, 2003 |
Updated: | January 2, 2004 |
| Description: |
The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0694
CAN-2003-0681
|
| Created: | September 17, 2003 |
Updated: | November 18, 2003 |
| Description: |
Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
thttpd: multiple vulnerabilities
| Package(s): | thttpd |
CVE #(s): | CAN-2002-1562
CAN-2003-0899
|
| Created: | October 29, 2003 |
Updated: | November 6, 2003 |
| Description: |
The thttpd web server has a pair of vulnerabilities which can lead to information disclosure and arbitrary code execution; both are remotely exploitable. |
| Alerts: |
|
Comments (none posted)
unzip: directory traversal vulnerability
| Package(s): | unzip |
CVE #(s): | CAN-2003-0282
|
| Created: | July 1, 2003 |
Updated: | November 13, 2003 |
| Description: |
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
wget: buffer overflow
| Package(s): | wget |
CVE #(s): | CAN-2003-1565
|
| Created: | August 5, 2003 |
Updated: | December 10, 2003 |
| Description: |
The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. |
| Alerts: |
|
Comments (1 posted)
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 |
CVE #(s): | CAN-2003-0730
|
| Created: | September 12, 2003 |
Updated: | November 25, 2003 |
| Description: |
Several vulnerabilities were discovered by blexim(at)hush.com in the font
libraries of XFree86 version 4.3.0 and earlier. These bugs could
potentially lead to execution of arbitrary code or a DoS by a remote user
in any way that calls these functions, which are related to the transfer
and enumeration of fonts from font servers to clients. See the
advisory for additional details.
|
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 13, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
Resources
David A. Wheeler writes
about validating input in this installment of the Secure Programmer, on
IBM developerWorks. " One of the biggest mistakes developers of
secure programs make is to try to check for 'illegal' data values. It's a
mistake because attackers are quite clever; they can often think of yet
another dangerous data value. Instead, determine what is legal, check if
the data matches that definition, and reject anything that doesn't match
that definition. For security it's best to be extremely conservative to
start with, and allow just the data that you know is legal. After all, if
you're too restrictive, users will quickly report that the program won't
allow legitimate data to be entered. On the other hand, if you're too
permissive, you may not find that out until after your program has been
subverted."
Comments (none posted)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|