Security
Looking forward to Kama Sutra
Your editor recently found a bit of security advice in his mailbox:
This advice showed up in a message with a subject line reading "IMAGE YOUR SYSTEM NOW BEFORE THE KAMA SUTRA WORM HITS." It's a good thing these folks (a company called Acronis, which will happily sell you the tools to "image your system") are so calm and reasoned; it might not be fun to be around if they were to go into a panic.
Linux users, of course, remain blissfully unaware of the "Kama Sutra" worm (or "BlackWorm"). At most, it manifests itself as a couple of "give me a kiss" emails which SpamAssassin quickly learns to kiss off by itself. Those who work with Windows, however, may well find themselves more aware of this worm in the near future.
Kama Sutra/BlackWorm, like so many others, spreads via email attachments. It does have a couple of interesting features, however. One is that it goes out of its way to disable antivirus systems on infected systems, making those systems susceptible to other bits of roving malware which might wander by. And, on February 3, it will attempt to destroy files on infected systems. Anybody who is not aware of being infected is likely to find out fairly abruptly at that point.
Estimates of the number of infected systems run as high as 600,000 as of January 31. Most of those systems are in the U.S., India, and, interestingly, Peru; see this page for details. If you would like more information on this worm, including Snort signatures for blocking it, see the ISC BlackWorm page. And, for now, be glad you are running Linux.
New vulnerabilities
drupal: several vulnerabilities
| Package(s): | drupal | CVE #(s): | CVE-2005-3973 CVE-2005-3974 CVE-2005-3975 | ||||
| Created: | January 27, 2006 | Updated: | February 1, 2006 | ||||
| Description: | Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. Several cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CVE-2005-3973). When running on PHP5, Drupal does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission (CVE-2005-3974). An interpretation conflict allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension (CVE-2005-3975). | ||||||
| Alerts: |
| ||||||
gallery: cross-site scripting vulnerability
| Package(s): | gallery | CVE #(s): | |||||
| Created: | January 26, 2006 | Updated: | February 1, 2006 | ||||
| Description: | Gallery, a web-based photo management system, has an input sanitizing problem with the user's fullname. An attacker can create a specially crafted fullname and inject script code into a victim's browser window in order to compromise the user's gallery. | ||||||
| Alerts: |
| ||||||
LibAST: privilege escalation
| Package(s): | libast | CVE #(s): | CVE-2006-0224 | ||||||||||||
| Created: | January 30, 2006 | Updated: | February 15, 2006 | ||||||||||||
| Description: | Michael Jennings discovered an exploitable buffer overflow in the configuration engine of LibAST. The vulnerability can be exploited to gain escalated privileges if the application using LibAST is setuid/setgid and passes a specifically crafted filename to LibAST's configuration engine. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libmail-audit-perl: insecure temporary file creation
| Package(s): | libmail-audit-perl | CVE #(s): | CVE-2005-4536 | ||||||||||||
| Created: | January 31, 2006 | Updated: | March 20, 2006 | ||||||||||||
| Description: | Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on. | ||||||||||||||
| Alerts: |
| ||||||||||||||
lsh-utils: local file descriptor leak
| Package(s): | lsh-utils | CVE #(s): | CVE-2006-0353 | ||||
| Created: | January 26, 2006 | Updated: | February 1, 2006 | ||||
| Description: | The lshd SSH2 protocol server has a file descriptor leak. User shells started by lshd can access randomness generator file descriptors, allowing the server seed file to be truncated. A denial of service is possible, and session keys may become vulnerable to cracking. | ||||||
| Alerts: |
| ||||||
mydns: denial of service
| Package(s): | mydns | CVE #(s): | CVE-2006-0351 | ||||||||
| Created: | January 31, 2006 | Updated: | February 2, 2006 | ||||||||
| Description: | MyDNS contains an unspecified flaw that may allow a remote denial of service. An attacker could cause a denial of service by sending malformed DNS queries to the MyDNS server. | ||||||||||
| Alerts: |
| ||||||||||
nfs-server: buffer overflow
| Package(s): | nfs-server | CVE #(s): | CVE-2006-0043 | ||||||||
| Created: | January 26, 2006 | Updated: | February 15, 2006 | ||||||||
| Description: | The obsoleted nfs-server package has a remotely exploitable buffer overflow vulnerability in the rpc.mountd service's realpath() function. Remote attackers can launch a specially crafted mount request, this leads to a buffer overflow and allows the execution of code with root privileges. | ||||||||||
| Alerts: |
| ||||||||||
Paros: default administrator password
| Package(s): | paros | CVE #(s): | CVE-2005-3280 | ||||
| Created: | January 30, 2006 | Updated: | February 1, 2006 | ||||
| Description: | Andrew Christensen discovered that in older versions of Paros the database component HSQLDB is installed with an empty password for the database administrator "sa". Since the database listens globally by default, an attacker can connect and issue arbitrary commands, including execution of binaries installed on the host. | ||||||
| Alerts: |
| ||||||
mozilla-thunderbird: GUI display truncation vulnerability
| Package(s): | mozilla-thunderbird | CVE #(s): | CVE-2006-0236 | ||||
| Created: | January 26, 2006 | Updated: | February 1, 2006 | ||||
| Description: | Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 have a GUI display truncation vulnerability. A user can be tricked into downloading a maliciously created attachment with a hidden filename extension and potentially execute the dangerous payload. | ||||||
| Alerts: |
| ||||||
trac: cross-site scripting vulnerability
| Package(s): | trac | CVE #(s): | CVE-2005-4305 | ||||
| Created: | January 26, 2006 | Updated: | February 1, 2006 | ||||
| Description: | Trac, a web-based project management and bug tracking system, has a cross-site scripting attack vulnerability that may be exploited for the purpose of execution of arbitrary JavaScript code. | ||||||
| Alerts: |
| ||||||
unalz: arbitrary code execution
| Package(s): | unalz | CVE #(s): | CVE-2005-3862 | ||||
| Created: | January 30, 2006 | Updated: | February 1, 2006 | ||||
| Description: | Ulf Härnhammer from the Debian Audit Project discovered that unalz, a decompressor for ALZ archives, performs insufficient bounds checking when parsing file names. This can lead to arbitrary code execution if an attacker provides a crafted ALZ archive. | ||||||
| Alerts: |
| ||||||
Resources
Nmap 4.00 Released
Version 4.00 of the Nmap security scanner is out. There is a long list of changes and new features; click below for the full announcement. "A popular open source security scanner recently went proprietary, complaining that their community never contributes much. We are sorry to hear that, but happy to report that the Nmap community is as vibrant and productive as ever!" We hope to have a closer look at this release within the next two weeks.
John the Ripper 1.7 is out
Version 1.7 of John the Ripper, a password cracker, is out. Most of the changes would appear to be performance oriented: John is now a faster Ripper in many situations.
Page editor: Jonathan Corbet
Next page:
Kernel development>>