[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and editorials

Security in New Places. This week, we took a look at a security report on a commercial product based on Linux. Stephen Friedl placed a posting on BugTraq regarding security problems he saw in Standard and Poor's Comstock's multiCSP, used within a virtual private network to provide real-time stock quotes. This was not the first such report; Kevin Kadow posted a similar, though less scathing review of the security of these systems in March, after contacting the company about the problems in January.

Following the thread, it appears that Standard and Poor's was slow to respond to these security reports. A version of the server "burned" in February had, indeed, somewhat improved security, but a customer letterwas not sent until yesterday, May 24th. No effort appears to have been made to fix already deployed servers in the meantime.

We contacted Standard and Poor's last week and received a response from them yesterday. They were not yet ready to acknowledge the accuracy of Stephen's original report, in which he documents being able to access and obtain root access on other mCSPs on the VPN after gaining root access on the initial device. They did promise to quickly address other reported security problems, but of course, having been slow to respond to them so far, only the availability of complete fixes in the near future will fulfill this promise.

They also stated that they were actively pursuing the issue with Stephen to see if the remote access vulnerability could be confirmed (at which point, they promised to address the problem swiftly). A quick check with Stephen elicited the information that they had indeed contacted him to follow up the report -- after our phone call. We expect that Stephen's report will be verified.

Meanwhile, CNet posted an article Wednesday, entitled, "Flaws in S&P service could put companies' data at risk". Standard and Poor's had run out of time to deal with the reported security problem before facing adversarial media scrutiny.

This is an example of education through experience. Security issues have real consequences and one area where they can have impact is the potential undermining of customer trust. Enabling clear procedures for handling security reports, verifying them in a timely fashion and keeping customers and the public informed can minimize the potential damage. Standard and Poor's Comstock just had an object lesson to this effect. They get little sympathy from BugTraq members, who have previously educated companies in many other industries and situations. They will get even less if these problems are not addressed in the near future.

Web-site defacements, sorted by OS. Attrition.org has made available an interesting set of charts. Provided are moving 29-day averages of the number of reported web-site defacements, sorted by operating system. Add this to your statistical fodder, for comparing the security of various operating systems. Of course, the preponderance of defacements on Microsoft-based servers could be based on personal biases of the defacers, rather than the ease of the defacement.

Sendmail, Inc. on ILOVEYOU. Sendmail, Inc. has issued this press release stating that the ILOVEYOU virus attack demonstrates the need for server-level protection of the variety that is available from, well, Sendmail, Inc. Those who read closely will note the absence of a claim that Sendmail's products would have actually prevented the ILOVEYOU episode.

Sendmail, Inc. has also announced the opening of an office in Germany.

Guide to Home Networking (justLinux). Here's a look at home-network security from justLinux. "Now, the network's probably not bulletproof, but it is tighter than before the attack. It's about 3 a.m. by the time I get back online. I head to bed feeling like I've done all I could do to stop further attacks. Little did I know that intruders had already setup residency on my box." (Thanks to Jay R. Ashworth)

Security Reports

Xserver: nasty denial-of-service vulnerability. Chris Evans reported a nasty denial-of-service vulnerability in XFree86-3.3.5 where a malformed packet sent to port 6000 TCP causes the Xserver to lock up the system. This has been confirmed on Red Hat 6.2 and OpenLinux 2.3 and 2.4. For more information, check the SecurityFocus database entry. Note that the problem also occurs with XFree86-3.3.6 and XFree86-4.0, though the behavior is slightly different.

qpopper 2.53. Both the FreeBSD and Linux versions of qpopper 2.53 are reportedly exploitable and can be made to provide a remote attacker with shell access (uid=mail). An upgrade to qpopper 3.1 is recommended. Note that not everyone is comfortable with the security of 3.1 which is still in beta.

fdmount. Arend-Jan Wijtzes reported an exploitable buffer overflow in fdmount. The potential exploit requires that fdmount be installed suid root and is only exploitable by someone in the "floppy" group. An exploit has been published. Slackware 4.0 and 7.0 and Linux-Mandrake 7.0 were reported vulnerable. Slackware 3.5 and Debian 2.X were reported not vulnerable.

PGP 5.0. A security flaw has been reported in the Linux and some BSD implementations of the PGP 5.0 protocol. PGP 2.X and 6.5 are reported not to share this problem.

MDBMS. A remote exploit for MDBMS has been published on the BugTraq mailing list, along with an unverified patch to fix the problem.

gdm. A buffer overflow vulnerability has been reported in Gnome gdm. No distributions have been found vulnerable so far because they are shipped with "Enable=0" in the gdm configuration file. You may be impacted if you compiled Gnome from source. Modifying the configuration file will resolve the problem. Check the SecurityFocus vulnerability database entry for more details.

Commercial products. The following commercial products were reported to contain vulnerabilities:


mailman. The mailman mailing list manager, as shipped with Red Hat Secure Web Server 3.0, 3.1 and 3.2, is reported to contain several security vulnerabilities (no details provided). An upgrade to mailman-2.0beta2 is recommended to close these holes.

dump. Security-related buffer overflows in dump were reported originally in the March 2nd, 2000 LWN Security Summary. For more details, check the SecurityFocus database entry.

Kerberos. We mentioned that multiple, exploitable buffer-overruns had been reported in the MIT and Cygnus Kerberos implementations in last week's Security Summary. This week, an additional Kerberos patchwas provided. This will only be needed if you are compiling krb5-1.1.1 from source with the "--without-krb4" option. If you are, be sure to apply the patch. The results without it are reported to be "disastrous".

CERT has also issued an advisoryregarding the Kerberos vulnerabilities. It contains additional information about the NetBSD and OpenBSD Kerberos implementations, which are based on the KTH implementation and therefore believed to not be vulnerable. Chris Evans also posted a followup, with information on other potential problems with Kerberos that he provided a few weeks ago.

Netscape SSL. Problems in the manner that Netscape handled invalid SSL certificates have been fixed in Netscape 4.73. Check last week's Security Summary for details.

lynx. After a series of reported security problems with the lynx text-based web browser dating back to September of 1999, the code has at last undergone a thorough audit. The latest version, lynx-2.8.3pre.5, is believed to close all major holes.

xemacs. A couple of problems in xemacs have been fixed, including the insecure creation of temporary files and snooping of other users' keystrokes. Although not confirmed, these may be related to similar problems reported with emacs in April.

gnapster/knapster. For more information, check out the security report in last week's Security Summary.

openldap tmplink vulnerability. A tmplink vulnerability was reported in openldap. Check the April 27th LWN Security Summary or Red Hat Bugzilla ID 10714 for more details.

This week's reports:

Previous reports:


OpenSSH Linux port. A new version of the Linux port of OpenSSH has been released. It includes a large number of bugfixes.

checkps. Development on checkps, a Linux rootkit detector, has recommenced. A new version is now available via CVS, containing a fix for a non-exploitable buffer overrun, in addition to other small fixes and features.


June security events.

June 12-14, 2000. NetSec 2000, San Francisco, California, USA.

June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA.

June 27-28, 2000. CSCoRE 2000, "Computer Security in a Collaborative Research Environment", Long Island, New York, USA.

Section Editor: Liz Coolbaugh

May 25, 2000

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux
Secure Linux (Flask)

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds