|
|
Log in / Subscribe / Register

Security

Brief items

The networking hash vulnerability

Most Linux kernels have a slightly different sort of vulnerability in the networking subsystem. For most users, the new problem is nothing to be particularly worried about. For systems that export important services to the net (i.e. web servers), however, this one is worth paying attention to.

The networking code maintains a number of internal hash tables to speed lookups. In the networking code, for example, one table is used to quickly find the route to a remote system; another is used in the netfilter connection tracking code. The problem is that the hashing function used for these tables is predictable and can be influenced by outsiders. In particular, a suitably clever attacker can, through careful choices of (false) source packet addresses, create a great many entries in a single hash chain.

Once the chain gets long, the kernel will begin to take a long time to look up each packet which hashes to that chain. This behavior enables a simple denial of service attack: send a bunch of packets with the right addresses and watch the target system slow to a crawl. By exploiting this vulnerability, an attacker can get many of the effects of a large, distributed denial of service attack without having to arrange the "distributed" part - a single system will do.

Fixing the problem is a simple matter of picking a better hash function which does not have such predictable behavior. Patches are available for the 2.4 kernel, though, as of this writing, few vendors have released updates; this LWN vulnerability entry will track the updates as they are received. The 2.4.21-rc2 and 2.5.69 kernels also contain the fix - but nobody should be running important services on either of those.

Comments (5 posted)

May CRYPTO-GRAM newsletter

Bruce Schneier's CRYPTO-GRAM newsletter for May is out; it looks at encryption and wiretapping, using unique email addresses for spam avoidance, and cash register receipts. "This wiretapping report provides hard evidence that a closed security design methodology -- the 'trust us because we know these things' way of building security products -- doesn't work. The U.S. government hasn't encountered a telephone encryption product that they couldn't easily break."

Full Story (comments: 1)

Oops

Two weeks ago, this page reported that OpenBSD does not yet have executable stack protection on the x86 architecture. That statement, as it turns out, aligns poorly with reality. OpenBSD has had non-executable stacks since 3.2; what it does not (yet) have is protection for the other data areas - that is the protection offered by the "W^X" technology in OpenBSD 3.3, but which will not be available for x86 until the 3.4 release. We blew it, and we regret the error.

Comments (2 posted)

New vulnerabilities

cdrecord: format string vulnerability

Package(s):cdrecord CVE #(s):CAN-2003-0289
Created:May 16, 2003 Updated:May 21, 2003
Description: A format string vulnerability in scsiopen.c of the cdrecord program in cdrtools 2.0 allows local users to gain privileges via format string specifiers in the "dev" parameter.
Alerts:
Mandrake MDKSA-2003:058-1 cdrecord 2003-05-21
Gentoo 200305-06 cdrtools 2003-05-18
Mandrake MDKSA-2003:058 cdrecord 2003-05-15

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 16, 2003 Updated:November 18, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 gnugpg 2003-11-17
Conectiva CLA-2003:694 gnupg 2003-07-11
Yellow Dog YDU-20030602-4 gnupg 2003-06-02
Mandrake MDKSA-2003:061 gnupg 2003-05-22
Slackware ssa:2003-141-04 gnupg 2003-05-22
Red Hat RHSA-2003:175-01 gnupg 2003-05-20
Gentoo 200305-04 gnupg 2003-05-16
OpenPKG OpenPKG-SA-2003.029 gnupg 2003-05-16
EnGarde ESA-20030515-016 gnupg 2003-05-15

Comments (none posted)

lv: privilege escalation

Package(s):lv CVE #(s):CAN-2003-0188
Created:May 16, 2003 Updated:June 4, 2003
Description: Leonard Stiles discovered that lv, a multilingual file viewer, would read options from a configuration file in the current directory. Because such a file could be placed there by a malicious user, and lv configuration options can be used to execute commands, this represented a security vulnerability. An attacker could gain the privileges of the user invoking lv, including root.
Alerts:
Yellow Dog YDU-20030602-6 lv 2003-06-02
Gentoo 200305-07 lv 2003-05-19
Red Hat RHSA-2003:169-01 lv 2003-05-16
Debian DSA-304-1 lv 2003-05-15

Comments (none posted)

sendmail: insecure temporary files

Package(s):sendmail CVE #(s):
Created:May 16, 2003 Updated:May 20, 2003
Description: Paul Szabo discovered bugs in three scripts included in the sendmail package where temporary files were created insecurely (expn, checksendmail and doublebounce.pl). These bugs could allow an attacker to gain the privileges of a user invoking the script (including root).
Alerts:
Debian DSA-305-1 sendmail 2003-05-15

Comments (none posted)

Resources

Security Flaw Shows Microsoft Passport Identities Can't Be Trusted (ZDNet)

ZDNet is running a Gartner pronouncement on the security of online identity services in the light of the Passport vulnerability. "This discovery deals a major blow to Microsoft and the Liberty Alliance, which have not yet succeeded in getting the consumer e-commerce market to accept identity services of this type. Gartner surveys have shown that consumers and enterprises have already seen more risk than value in Passport and Liberty."

Comments (2 posted)

LinuxSecurity.com newsletters

New issues of the Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds