Your editor recently found a bit of security advice in his mailbox:
A calm, reasoned, policy-based approach that covers all possible
threats is what is needed to ensure that a company's corporate
servers and workstations are protected.
This advice showed up in a message with a
subject line reading "IMAGE
YOUR SYSTEM NOW BEFORE THE KAMA SUTRA WORM HITS." It's a good thing these
folks (a company called Acronis, which will happily sell you the tools to
"image your system") are so calm and reasoned; it might not be fun to be
around if
they were to go into a panic.
Linux users, of course, remain blissfully unaware of the "Kama Sutra" worm
(or "BlackWorm"). At most, it manifests itself as a couple of "give me a
kiss" emails which SpamAssassin quickly learns to kiss off by itself.
Those who work with Windows, however, may well find themselves more aware
of this worm in the near future.
Kama Sutra/BlackWorm, like so many others, spreads via email attachments.
It does
have a couple of interesting features, however. One is that it goes out of
its way to disable antivirus systems on infected systems, making those
systems susceptible to other bits of roving malware which might wander by.
And, on February 3, it will attempt to destroy files on infected
systems. Anybody who is not aware of being infected is likely to find out
fairly abruptly at that point.
Estimates of the number of infected systems run as high as 600,000 as of
January 31. Most of those systems are in the U.S., India, and,
interestingly, Peru; see this page for
details. If you would like more information on this worm, including Snort
signatures for blocking it, see the ISC BlackWorm
page. And, for now, be glad you are running Linux.
Comments (2 posted)
New vulnerabilities
drupal: several vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2005-3973
CVE-2005-3974
CVE-2005-3975
|
| Created: | January 27, 2006 |
Updated: | February 1, 2006 |
| Description: |
Several security related problems have been discovered in drupal, a
fully-featured content management/discussion engine. Several cross-site
scripting vulnerabilities allow remote attackers to inject arbitrary web
script or HTML (CVE-2005-3973). When running on PHP5, Drupal does not
correctly enforce user privileges, which allows remote attackers to bypass
the "access user profiles" permission (CVE-2005-3974). An interpretation
conflict allows remote authenticated users to inject arbitrary web script
or HTML via HTML in a file with a GIF or JPEG file extension
(CVE-2005-3975). |
| Alerts: |
|
Comments (none posted)
gallery: cross-site scripting vulnerability
| Package(s): | gallery |
CVE #(s): | |
| Created: | January 26, 2006 |
Updated: | February 1, 2006 |
| Description: |
Gallery, a web-based photo management system, has an input sanitizing
problem with the user's fullname. An attacker can create a specially
crafted fullname and inject script code into a victim's browser window
in order to compromise the user's gallery. |
| Alerts: |
|
Comments (2 posted)
LibAST: privilege escalation
| Package(s): | libast |
CVE #(s): | CVE-2006-0224
|
| Created: | January 30, 2006 |
Updated: | February 15, 2006 |
| Description: |
Michael Jennings discovered an exploitable buffer overflow in the
configuration engine of LibAST. The vulnerability can be exploited to gain
escalated privileges if the application using LibAST is setuid/setgid and
passes a specifically crafted filename to LibAST's configuration engine. |
| Alerts: |
|
Comments (none posted)
libmail-audit-perl: insecure temporary file creation
| Package(s): | libmail-audit-perl |
CVE #(s): | CVE-2005-4536
|
| Created: | January 31, 2006 |
Updated: | March 20, 2006 |
| Description: |
Niko Tyni discovered that the Mail::Audit module, a Perl library for
creating simple mail filters, logs to a temporary file with a predictable
filename in an insecure fashion when logging is turned on. |
| Alerts: |
| Debian |
DSA-960-3 |
libmail-audit-perl |
2006-03-20 |
| Debian |
DSA-960-2 |
libmail-audit-perl |
2006-01-31 |
| Debian |
DSA-960-1 |
libmail-audit-perl |
2006-01-31 |
|
Comments (none posted)
lsh-utils: local file descriptor leak
| Package(s): | lsh-utils |
CVE #(s): | CVE-2006-0353
|
| Created: | January 26, 2006 |
Updated: | February 1, 2006 |
| Description: |
The lshd SSH2 protocol server has a file descriptor leak.
User shells started by lshd can access randomness generator file descriptors, allowing the server seed file to be truncated.
A denial of service is possible, and session keys may become
vulnerable to cracking. |
| Alerts: |
|
Comments (none posted)
mydns: denial of service
| Package(s): | mydns |
CVE #(s): | CVE-2006-0351
|
| Created: | January 31, 2006 |
Updated: | February 2, 2006 |
| Description: |
MyDNS contains an unspecified flaw that may allow a remote denial of
service. An attacker could cause a denial of service by sending malformed
DNS queries to the MyDNS server. |
| Alerts: |
|
Comments (none posted)
nfs-server: buffer overflow
| Package(s): | nfs-server |
CVE #(s): | CVE-2006-0043
|
| Created: | January 26, 2006 |
Updated: | February 15, 2006 |
| Description: |
The obsoleted nfs-server package has a remotely exploitable buffer overflow
vulnerability in the rpc.mountd service's realpath() function.
Remote attackers can launch a specially crafted mount request,
this leads to a buffer overflow and allows the execution of code
with root privileges. |
| Alerts: |
|
Comments (none posted)
Paros: default administrator password
| Package(s): | paros |
CVE #(s): | CVE-2005-3280
|
| Created: | January 30, 2006 |
Updated: | February 1, 2006 |
| Description: |
Andrew Christensen discovered that in older versions of Paros the database
component HSQLDB is installed with an empty password for the database
administrator "sa". Since the database listens globally by default, an
attacker can connect and issue arbitrary commands, including execution of
binaries installed on the host. |
| Alerts: |
|
Comments (none posted)
mozilla-thunderbird: GUI display truncation vulnerability
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2006-0236
|
| Created: | January 26, 2006 |
Updated: | February 1, 2006 |
| Description: |
Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 have a GUI display truncation vulnerability. A user can be tricked into downloading a maliciously
created attachment with a hidden filename extension and potentially
execute the dangerous payload. |
| Alerts: |
|
Comments (none posted)
trac: cross-site scripting vulnerability
| Package(s): | trac |
CVE #(s): | CVE-2005-4305
|
| Created: | January 26, 2006 |
Updated: | February 1, 2006 |
| Description: |
Trac, a web-based project management and bug
tracking system, has a
cross-site scripting attack vulnerability that may be exploited
for the purpose of execution of
arbitrary JavaScript code. |
| Alerts: |
|
Comments (1 posted)
unalz: arbitrary code execution
| Package(s): | unalz |
CVE #(s): | CVE-2005-3862
|
| Created: | January 30, 2006 |
Updated: | February 1, 2006 |
| Description: |
Ulf Härnhammer from the Debian Audit Project discovered that unalz, a
decompressor for ALZ archives, performs insufficient bounds checking
when parsing file names. This can lead to arbitrary code execution if
an attacker provides a crafted ALZ archive. |
| Alerts: |
|
Comments (none posted)
Resources
Version 4.00 of the Nmap security scanner is out. There is a long list of
changes and new features; click below for the full announcement. "
A popular open source security scanner recently went proprietary,
complaining that their community never contributes much. We are sorry
to hear that, but happy to report that the Nmap community is as
vibrant and productive as ever!
" We hope to have a closer look at
this release within the next two weeks.
Full Story (comments: none)
Version 1.7 of John the Ripper, a password cracker, is out. Most of the changes would appear to be performance oriented: John is now a faster Ripper in many situations.
Full Story (comments: none)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
