A group called The Measurement Factory has put out
a press
release to call attention to a recent survey of DNS servers. It seems
that, according to TMF, the majority of publicly-available nameservers are
configured incorrectly, and are vulnerable to denial of service and
pharming attacks. In most cases, fixing the problems is a relatively
straightforward operation.
Pharming refers to the use of cache poisoning attacks to hijack a domain
name. If an attacker can convince your nameserver to return a bogus
address for a known domain, your attempts to access a bank or other online
financial-related site can be redirected to a malicious site. Many users
have learned to enter domains for financial sites themselves, rather than,
say, clicking on a random link which showed up in their mailbox. A
pharming attack, however, can lead to the same result as a successful
phish: account names, passwords, and credit card numbers can be captured.
So what are all of those DNS administrators doing wrong? The biggest
problem, according to TMF, is that publicly-available nameservers are
configured to perform recursive lookups for anybody who asks. If an
attacker can request an arbitrary, recursive lookup, that attacker can get
the target nameserver to contact - and accept data from - a malicious
server. The malicious server can pass back incorrect information, which
the target server may then cache and return to users. The solution in this
case is to limit recursive queries to internal hosts; with bind, the
allow-recursion option can be used to this effect.
The survey also notes that some 40% of sites on the net allow zone
transfers to arbitrary sites. These transfers can disclose more
information than one might like; they also represent a denial of service
opportunity. Finally, the survey notes that a fair number of sites place
their secondary servers on the same subnet as the primary, leading to
obvious single point of failure issues.
Security issues with DNS servers have been relatively rare in recent
times. A nameserver is only as secure as its configuration, however.
Auditing nameservers for these issues in the near future might not be a bad
idea.
Comments (15 posted)
New vulnerabilities
chkstat: information disclosure
| Package(s): | chkstat |
CVE #(s): | |
| Created: | October 24, 2005 |
Updated: | October 25, 2005 |
| Description: |
SUSE LINUX ships with three pre defined sets of permissions, 'easy',
'secure' and 'paranoid'. The chkstat program contained in the permissions
package is used to set those permissions to the chosen level. Level 'easy'
which is the default allows some world writeable
directories. /usr/src/packages/RPMS and subdirectories is among them. To
prevent users from playing tricks in there e.g. linking to /etc/shadow
chkstat doesn't touch symlinks or files with an hardlink count != 1.
Stefan Nordhausen discovered a way to trick this check. To gain access to
e.g. /etc/shadow a malicious user has to place a hardlink to that file at a
place that is modified by chkstat. chkstat will not touch the file because
it has a hardlink count of two. However, if the administrator modifies the
user database the original /etc/shadow gets deleted and replaced by a new
one. That means the hardlink count of the file created by the malicious
user drops to one. At this point chkstat will modify the file's
permissions so anyone can read it. So it's technically impossible for
chkstat to modify permissions of files in world writeable directories in a
secure way. |
| Alerts: |
|
Comments (none posted)
enigmail: information disclosure
| Package(s): | enigmail |
CVE #(s): | CVE-2005-3256
|
| Created: | October 20, 2005 |
Updated: | December 13, 2005 |
| Description: |
The key selection dialog from the Mozilla Thunderbird enigmail plugin
has an information disclosure vulnerability.
A key with an empty user id from a user's keyring will be used by
default, allowing a message to be decrypted. This can lead to an
unauthorized information disclosure. |
| Alerts: |
|
Comments (none posted)
eric: missing input sanitizing
| Package(s): | eric |
CVE #(s): | CAN-2005-3068
|
| Created: | October 21, 2005 |
Updated: | October 25, 2005 |
| Description: |
The developers of eric, a full featured Python IDE, have fixed a bug
in the processing of project files that could lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
fetchmailconf: insecure file creation
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-3088
|
| Created: | October 26, 2005 |
Updated: | November 22, 2005 |
| Description: |
The fetchmailconf utility can create files which are world-readable for a brief period. These files may contain passwords, and thus should not be created in this manner.
|
| Alerts: |
|
Comments (none posted)
libgda2: format string vulnerabilities
| Package(s): | libgda2 |
CVE #(s): | CAN-2005-2958
|
| Created: | October 25, 2005 |
Updated: | November 18, 2005 |
| Description: |
Steve Kemp discovered two format string vulnerabilities in libgda2,
the GNOME Data Access library for GNOME2, which may lead to the
execution of arbitrary code in programs that use this library. |
| Alerts: |
|
Comments (none posted)
module-assistant: insecure temp file
| Package(s): | module-assistant |
CVE #(s): | CAN-2005-3121
|
| Created: | October 20, 2005 |
Updated: | October 25, 2005 |
| Description: |
The module-assistant package creation tool creates an insecure
temporary file. |
| Alerts: |
|
Comments (none posted)
pam: brute-force vulnerability
| Package(s): | pam |
CVE #(s): | CVE-2005-2977
|
| Created: | October 26, 2005 |
Updated: | October 28, 2005 |
| Description: |
The pam unix_chkpwd utility can, when SELinux is enabled, be used by a local attacker to perform brute-force password guessing. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: local file inclusion and XSS
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-2869
CVE-2005-3300
CVE-2005-3301
|
| Created: | October 25, 2005 |
Updated: | November 18, 2005 |
| Description: |
Stefan Esser discovered that by calling certain PHP files directly, it
was possible to workaround the grab_globals.lib.php security model and
overwrite the $cfg configuration array. Systems running PHP in safe
mode are not affected. Futhermore, Tobias Klein reported several
cross-site-scripting issues resulting from insufficient user input
sanitizing. A local attacker may exploit this vulnerability by sending
malicious requests, causing the execution of arbitrary code with the rights
of the user running the web server. Furthermore, the cross-site scripting
issues give a remote attacker the ability to inject and execute malicious
script code or to steal cookie-based authentication credentials,
potentially compromising the victim's browser. |
| Alerts: |
|
Comments (none posted)
squid: denial of service
| Package(s): | squid |
CVE #(s): | CVE-2005-3258
|
| Created: | October 20, 2005 |
Updated: | October 27, 2005 |
| Description: |
Squid, a proxy caching server for Web clients, has a denial of
service vulnerability, it can be caused to crash by sending a
malformed FTP response. |
| Alerts: |
|
Comments (none posted)
sudo: missing input sanitizing
| Package(s): | sudo |
CVE #(s): | CVE-2005-2959
|
| Created: | October 25, 2005 |
Updated: | February 19, 2006 |
| Description: |
Tavis Ormandy noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. The SHELLOPTS and PS4 variables are dangerous and are
still passed through to the program running as privileged user. This
can result in the execution of arbitrary commands as privileged user
when a bash script is executed. These vulnerabilities can only be
exploited by users who have been granted limited super user
privileges. |
| Alerts: |
|
Comments (none posted)
Zope: file inclusion through RestructuredText
| Package(s): | zope |
CVE #(s): | |
| Created: | October 25, 2005 |
Updated: | October 25, 2005 |
| Description: |
Zope honors file inclusion directives in RestructuredText objects by
default. An attacker could exploit the vulnerability by sending malicious
input that would be interpreted in a RestructuredText Zope object,
potentially resulting in the execution of arbitrary Zope code with the
rights of the Zope server. |
| Alerts: |
|
Comments (none posted)
Resources
The O'Reilly Network has put up
a lengthy and academic article on phishing by Simson Garfinkel and Lorrie Faith Cranor. "
When a user faces a phishing attack, the user's mental model about the interaction disagrees with the system model. For example, the user's intention may be 'go to eBay,' but the actual implementation of the hyperlink may be 'go to a server in South Korea.' It is this discrepancy that enables the attack, and it is this discrepancy that makes phishing attacks very hard to defend against.
"
Comments (15 posted)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
