Security
Brief items
The apache evasive maneuvers module
Jonathan Zdziarski announced the release of mod_dosevasive 1.8 at the beginning of September. mod_dosevasive is an apache module, licensed under the GPL, which enables a web server to detect certain kinds of denial-of-service attack and take appropriate action.The core of mod_dosevasive is a set of hash tables keeping track of recent page requests. If a particular system (as identified by its IP address) starts requesting too many pages at once, or it requests the same page repeatedly too often, the module decides an attack is underway. The next request from that source will get back a 403 error response, and the site goes into the blacklist. The default blacklist period is ten seconds; each request received while the offending system is blacklisted extends its time there.
mod_dosevasive can also send notification email when it detects an attack, or execute an arbitrary command. The command capability is intended to make the module work with firewalls; rather than continually failing requests with 403 errors, an administrator can set up the firewall to simply block traffic from the attacking system altogether. That approach, clearly, will be more effective against large-scale distributed attacks where the real purpose is to consume bandwidth.
The mod_dosevasive web page has more information.
September CERT Summary
The September quarterly CERT Summary is out, discussing the security issues which are currently worth noting. Most notable this time around is the fact that Linux and free software do not figure into any of the problems covered. According to this summary, all of the serious security issues of the last three months affect only proprietary software. Enjoy it while it lasts.
New vulnerabilities
exim: buffer overflows
| Package(s): | exim exim-tls | CVE #(s): | CAN-2003-0743 | ||||||||||||||||
| Created: | September 5, 2003 | Updated: | October 1, 2003 | ||||||||||||||||
| Description: | A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
inetd: DoS attack
| Package(s): | inetd | CVE #(s): | |||||
| Created: | September 8, 2003 | Updated: | September 10, 2003 | ||||
| Description: | inetd has a hard-coded limit of 256 connections-per-minute, after which the
given service is disabled for ten minutes. An attacker could use a quick
burst of connections every ten minutes to effectively disable a service.
Once upon a time, this was an intentional feature of inetd, but in today's world it has become a bug. Even having inetd look at the source IP and try to limit only the source of the attack would be problematic since TCP source addresses are so easily faked. | ||||||
| Alerts: |
| ||||||
mah-jong: buffer overflows, denial of service
| Package(s): | mah-jong | CVE #(s): | CAN-2003-0705 CAN-2003-0706 | ||||
| Created: | September 8, 2003 | Updated: | September 10, 2003 | ||||
| Description: | Nicolas Boullis discovered two vulnerabilities in mah-jong, a
network-enabled game.
CAN-2003-0705 (buffer overflow): This vulnerability could be exploited by a remote attacker to execute arbitrary code with the privileges of the user running the mah-jong server. CAN-2003-0706 (denial of service): This vulnerability could be exploited by a remote attacker to cause the mah-jong server to enter a tight loop and stop responding to commands. | ||||||
| Alerts: |
| ||||||
wu-ftpd: insecure program execution
| Package(s): | wu-ftpd | CVE #(s): | CVE-1999-0997 | ||||||||||||
| Created: | September 5, 2003 | Updated: | September 24, 2003 | ||||||||||||
| Description: | wu-ftpd, an FTP server, implements a feature whereby multiple files can be fetched in the form of a dynamically constructed archive file, such as a tar archive. The names of the files to be included are passed as command line arguments to tar, without protection against them being interpreted as command-line options. GNU tar supports several command line options which can be abused, by means of this vulnerability, to execute arbitrary programs with the privileges of the wu-ftpd process. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Resources
Linux Security Week
The September 8 Linux Security Week newsletter from LinuxSecurity.com is available.Whitepaper - Blindfolded SQL Injection
WebCohort has announced the release of a white paper on "blindfolded SQL injection," a form of SQL injection attack that does not rely on extracting information from the target server's error messages.
Page editor: Jonathan Corbet
Next page:
Kernel development>>