The Organization for Internet Safety has announced the availability, in draft form, of
its "Security Vulnerability Reporting and Response Guidelines." These
guidelines offer suggestions for how security researchers and software
vendors should work together to deal with security problems in the most
effective way. Comments are being solicited for this version; they will be
accepted until July 16.
The guidelines, for the most part, make sense. Essentially, they say that
things go as follows:
A researcher finds a problem.
That problem is communicated in a clear way to the relevant vendor.
The vendor responds, and the two agree on a timeline for investigating
the problem and, if warranted, developing a fix.
The two talk to each other while this is going on.
When the fix is complete, the vendor makes it available, and both
parties can release advisories.
Detailed information on the vulnerability is to be withheld for
30 days.
Of course, it takes the OIS 23 pages, many dozen sub-objectives and
contingencies, and several complicated flow charts to communicate the
above.
The OIS and its guidelines have come under significant fire recently. Many
people distrust the OIS after having seen its list of members: @stake,
BindView, Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, Symantec,
and our old friends the SCO Group. There are no independent researchers:
OIS policy explicitly excludes them. There is also no representation from
the free software community. In fact, the OIS is not that impressed with
free software in general:
We believe the software author should be given a chance to create a
fix before vulnerability information is made public, but that there
should be no further distribution of that information until the fix
is complete. This priniciple [sic] can be very difficult to adhere to in
certain situations, such as dealing with the open source community
where there aren't protections to keep vulnerability information
secret.
In recent times, the community has shown itself to be quite capable of
keeping vulnerability information under wraps for the time it takes to
generate a fix. If you want to do that, though, it is imperative to create
the fix quickly. The vendor-driven OIS standards seem more oriented toward
keeping vulnerability information secret for as long as possible.
The OIS claims that it has no intention of promoting legislation which
would codify its guidelines. Given the nature of some of the companies
involved, not everybody believes that claim. Certainly any attempts in
that direction should be watched for and resisted.
Perhaps the most interesting perspective on the OIS is this, however:
there are no free software organizations or vendors represented because the
community has no need for the OIS. As a general rule, vulnerability
reporting and response works very well in the free software world.
Vulnerabilities are reported to the relevant parties, and a whole set of
independent vendors and projects gets fixes out quickly. It is hard to see
problems in this aspect of our performance which are amenable to any sort
of improvement via a set of official guidelines. Our problems, instead,
lie in the fact that we create far too many vulnerabilities in the first
place. The OIS is not going to help us with that.
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS.
XDM will open TCP sockets for its chooser, even if the
DisplayManager.requestPort setting is set to 0. This may allow
authorized users to access a machine remotely via X, even if the
administrator has configured XDM to refuse such connections. See this XFree86 bug report.
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN.
Versions of apache 2.0 through 2.0.49 fail to defend against arbitrarily long header lines; this bug can be exploited to cause the server to use arbitrarily large amounts of memory. See this advisory from Georgi Guninski for details.
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker.
Two separate buffer overflows have been found in versions 3.0.1rc12 and 3.0.1rc13 of the ISC DHCP server. These overflows can be exploited by a remote attacker to cause a denial of service, or, potentially, to execute arbitrary code. DHCP servers should not be exposed to the Internet, but this problem is worth fixing regardless. See this CERT advisory for more information.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling
Package(s):
freeswan
CVE #(s):
Created:
June 26, 2004
Updated:
July 15, 2004
Description:
FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN contain two bugs
when authenticating PKCS#7 certificates. This could allow an attacker
to authenticate with a fake certificate. All these IPsec implementations
have several bugs in the verify_x509cert() function, which performs
certificate validation, that make them vulnerable to malicious PKCS#7
wrapped objects. With a carefully crafted certificate payload an attacker
can successfully authenticate against FreeS/WAN, Openswan, strongSwan or
Super-FreeS/WAN, or make the daemon go into an endless loop.
giFT-FastTrack is a plugin for the giFT file-sharing application.
If a maliciously crafted signal is sent to giFT-FastTrack,
remote attackers can crash the giFT daemon.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser.
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details.
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release.
The netfilter code in 2.6 kernels through 2.6.7 is vulnerable to a remote denial of service attack - but only if filtering on the TCP options field has been enabled. See this advisory for details.
2.4 and 2.6 kernels running on the i386 and x86_64 kernels have a vulnerability which can allow a local attacker to lock up the system. See this LWN article for a description of the problem.
Many of the updates for this problem also fix various potential driver vulnerabilities found while instrumenting the code for automated auditing.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Multiple buffer overflows exist in the krb5_aname_to_localname() library
function that if exploited could lead to unauthorized root privileges. In
order to exploit this flaw, an attacker must first successfully
authenticate to a vulnerable service, which must be configured to enable
the explicit mapping or rules-based mapping functionality of
krb5_aname_to_localname, which is not a default configuration. See the
this MIT krb5 Security Advisory for more information.
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
A buffer overflow has been discovered in the ODBC driver of PostgreSQL,
an object-relational SQL database, descended from POSTGRES. It possible
to exploit this problem and crash the surrounding application. Hence, a
PHP script using php4-odbc can be utilized to crash the surrounding
Apache webserver. Other parts of postgresql are not affected.
See the rsync homepage for the
April 2004
advisory: "There is a security problem in all versions prior to
2.6.1 that affects only people running a read/write daemon WITHOUT using
chroot. If the user privs that such an rsync daemon is using is anything
above "nobody", you are at risk of someone crafting an attack that could
write a file outside of the module's "path" setting (where all its files
should be stored). Please either enable chroot or upgrade to 2.6.1. People
not running a daemon, running a read-only daemon, or running a chrooted
daemon are totally unaffected."
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string.
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
The code that generates email reports contains a format string
vulnerability in pipedmailmessage.cpp. With a carefully crafted filename
on a local filesystem an attacker could cause execution of arbitrary code
with permissions of the user running tripwire, which could be the root
user. See this advisory on SecurityFocus for more details.
Versions of webmin prior to 1.150 suffer from denial of service and information disclosure vulnerabilities. See advisories for the disclosure and lockout problems for more information.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
