|
|
Subscribe / Log in / New account

Security

Brief items

The police tap JAP

The Java Anonymous Proxy project is developing a proxy system which enables users to access web sites in an anonymous manner. The JAP code is distributed under a BSD-like license. The JAP project also runs a set of servers which provide the actual anonymous web access.

It turns out, however, that access is not always anonymous; the JAP system went down for a few days in mid-August for the addition of new "security features." Those features, it seems, include a means by which the German police can determine the real originating IP address for accesses to a destination site of their choice. This access requires the usual formalities - court orders and such - but it does, regardless, violate the spirit of an anonymous proxy system. This is the sort of thing that users of an anonymous proxy are trying to get away from.

Since JAP is free software, people who were paying attention were able to see the new "security features" as they were checked in to the CVS repository. This transparency is, of course, one of the reasons why we like free software in the first place. We should remember, however, that there was nothing forcing the JAP developers to commit their changes to a public repository, and there is still no assurance that the JAP servers are running the same software as that found in the repository or on the download site. Entrusting your privacy to a remote system over which you have no control remains a risky thing to do.

See the JAP project's press release for more information on this incident.

Comments (5 posted)

The most over- and under-rated vulnerabilities

ITSecurity.com has published a look at the most over- and under-rated vulnerabilities, as determined by Harris Corporation. The list is worth a look; it is an attempt to clarify where the real risks lie. Besides, a couple of the entries are rather amusing.

So what are the overrated vulnerabilities? A few selections from the list include:

  • PGP vulnerabilities. As the authors assert, there is no known case of somebody having actually broken PGP's encryption.

  • SNMP; "As long as the default community strings have been changed, SNMP should be fairly safe. Actual exploitation using SNMP has been rare."

  • Cross-site scripting. Actual cross-site scripting exploits are rare; there is usually a more direct route to what the crackers want.

  • Gopher vulnerabilities. Evidently some people are still concerned about Gopher holes.

So, rather than running out to patch that Gopher server, what should you really be worried about? The list includes:

  • Remote procedure call vulnerabilities. RPC remains dangerous, and certainly should not be exposed to the internet.

  • Wireless networks which are easy to find and penetrate, and which often live inside firewalls.

  • Keystroke loggers and spyware.

  • WebDAV servers. This one makes the list mostly due to the potential of compromising the web server, and (on Windows, at least) thus the whole machine.

Interestingly, virus-susceptible email systems do not make the list, despite the fact that this type of vulnerability has probably created more in the way of security costs - especially recently - than any other. Clearly this vulnerability is underrated, given that it remains unclosed after all these years. Risk, evidently, is still in the eye of the beholder.

Comments (2 posted)

New vulnerabilities

GDM allows local user to read any file

Package(s):GDM, XDMCP CVE #(s):CAN-2003-0547 CAN-2003-0548 CAN-2003-0549
Created:August 21, 2003 Updated:August 29, 2003
Description: GDM is the GNOME Display Manager for X.

Versions of GDM prior to 2.4.1.6 contain a bug where GDM will run as root when examining the ~/.xsession-errors file when using the "examine session errors" feature, allowing local users the ability to read any text file on the system by creating a symlink. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0547 to this issue.

Additional problems may be found in the X Display Manager Control Protocol (XDMCP) which allow a denial of service attack (DoS) by crashing the gdm daemon. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0548 and CAN-2003-0549 to these issues.

Alerts:
Conectiva CLA-2003:729 gdm 2003-08-29
Slackware SSA:2003-236-01 gdm 2003-08-24
Mandrake MDKSA-2003:085 gdm 2003-08-21
Red Hat RHSA-2003:258-01 GDM 2003-08-21

Comments (none posted)

libpam-smb: exploitable buffer overflow

Package(s):libpam-smb, pam-smb CVE #(s):CAN-2003-0686
Created:August 26, 2003 Updated:October 1, 2003
Description: libpam-smb is a PAM authentication module which makes it possible to authenticate users against a password database managed by Samba or a Microsoft Windows server. If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. See this advisory for more information.

CAN-2003-0686

Alerts:
Conectiva CLA-2003:734 pam_smb 2003-09-05
SuSE SuSE-SA:2003:036 pam_smb 2003-09-03
Gentoo 200309-01 pam_smb 2003-09-01
Red Hat RHSA-2003:261-01 pam_smb 2003-08-26
Debian DSA-374-1 libpam-smb 2003-08-26

Comments (1 posted)

sendmail: bad DNS reply causes crash

Package(s):sendmail CVE #(s):CAN-2003-0688
Created:August 26, 2003 Updated:October 1, 2003
Description: There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x versions with respect to DNS maps. The bug did not exist in versions before 8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9, released March 29, 2003. See this advisory for more information.

CAN-2003-0688

Alerts:
Conectiva CLA-2003:727 sendmail 2003-08-29
Red Hat RHSA-2003:265-01 sendmail 2003-08-28
OpenPKG OpenPKG-SA-2003.037 sendmail 2003-08-28
SuSE SuSE-SA:2003:035 sendmail 2003-08-26
Mandrake MDKSA-2003:086 sendmail 2003-08-26

Comments (none posted)

vmware-workstation: vulnerability allows full host access

Package(s):vmware-workstation CVE #(s):CAN-2003-0480 CAN-2003-0631
Created:August 25, 2003 Updated:September 2, 2003
Description: According to this advisory vulnerabilities exist in VMware GSX Server 2.5.1 and earlier, and in VMware Workstation 4.0 and earlier releases. "By manipulating the VMware GSX Server and VMware Workstation environment variables, a program such as a shell session with root privileges could be started when a virtual machine is launched. The user would then have full access to the host."

See also CAN-2003-0480 and CAN-2003-0631

Alerts:
Gentoo 200308-03.1 vmware 2003-09-01
Gentoo 200308-03 vmware-workstation 2003-08-25

Comments (1 posted)

Resources

Developing secure programs (developerWorks)

David A. Wheeler begins a new security column series on developerWorks. "This first installment of the Secure programmer column introduces the basic ideas of how to write secure applications and discusses how to identify the security requirements for your specific application. Future installments will focus on different common vulnerabilities and how to prevent them."

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds