See also: last week's Security page.

News and Editorials

Buzz on Intel's CDSA software. Intel introduced an open source software implementation which they're calling CDSA - Common Data Security Architecture.

CDSA, developed by Intel's Architecture Lab, is a specification for the creation of interoperable, security-enabled, e-Business applications. CDSA allows applications to gain access to security services like encryption, biometrics, and the management of digital certificates and authorization credentials.

In a related announcment, Caldera and Bull announced their support of this new software.

So what is this thing? According to Intel's Developers website:

CDSA is a security middleware specification and reference implementation that is open source, cross-platform, interoperable, extensible, and freely exportable**. The Open Group (TOG) has adopted CDSA as an Open Group Technical Standard that successfully completed TOG formal consensus process for member acceptance and approval. CDSA is a set of layered security services that is enabling a new generation of interoperable e-Business solutions for the Internet.

"Exportable" except to those countries which the US currrently has embargoes against. Anyway, CDSA is essentially an API from which developers, especially Web-based developers, can make use of existing security technologies such as the Public Key Encryption Standard (PKCS).

While a useful addition to the toolsets available to programmers for making use of secure processing across network connections, it's not a pancea for security. It won't, for example, deal with the all too common issues of format string buffer overflows. These are two unrelated types of vulnerabilities. Format string bugs are problems associated in how an API is used - CDSA is just an API for accessing services which provide secure transactions.

Since Intel has open-sourced CDSA we may be hearing more about this in the near future.

Open source carnivore. ZDNet took a look this week at Network ICE's Altivore, an open source snooping package meant to be a replacement for the FBI's Carnivore. "The program currently only consists of source code and may be buggy, the company said on its Web site. However, Robert Graham, chief technology officer for the San Mateo, Calif., company, believes that the open-source community will quickly get the code ship-shape, as well as add new features to it."

Without irony, the article concludes with: "So far, the open-source community has largely remained silent on the source code."

LinuxNewbie also carried a brief discusson on the same subject.

Red Hat GLINT symlink vulnerability. glint, Red Hat's original graphical configuration tool, blindly follows a symlink in /tmp, overwriting the target file, so it can conceivably be used to destroy any file on the system. The problem affects Red Hat 5.2 only since glint doesn't work with RPM 3.0 or later. On systems with RPM 3.0 or later, just remove the package to eliminate the problem.

Note that glint is not delivered with most non-Red Hat derived distributions of Linux. For example, SuSE would not be affected by this problem. SuSE does note that...:

...the "xglint" package that is on newer SuSE distributions is an accelerated X-server for GLINT/PERMEDIA/PERMEDIA-2 based graphics cards and has nothing to do with the glint package mentioned in the RedHat Security advisory.

In other words, don't confused "xglint" with "glint". They aren't related.

Selective rejection in sendmail. It seems even BugTraq is getting dangerous, security-wise. A recent message talked of seeing a Windows DLL file included in another message. Discussion on how to prevent such attachments led to a discussion on using libmilter, a program to selectively filter out mail with certain attachments. This was followed up by discussions of other tools and methods for taking the bite out of MIME-based email attacks.

Another tool was mentioned in this thread as well: MimeDefang, an e-mail filter program which works with Sendmail 8.10 or 8.11

More information about securing email from such attacks can be found online.

Privacy Foundation on :CueCat. The Privacy Foundation has issued its opinion on Digital:Convergence and their :CueCat handheld bar code reader. The primary concern is whether Digital:Convergence intends to track individual users using the information the :CueCat returns to the company.

... the :CueCat software attaches a unique user ID to each scanned bar code. This unique ID number, along with the bar code, is then sent back to Digital:Convergence Corp. computer servers. This feature could potentially allow the company to track the :CueCat scans of every consumer who registers for the service.

Conflicting reports on SDMI participation. The music industry's effort to find copy protection options for digital recordings - known as SDMI and which was covered last week by LWN - may or may not be getting serious attention from the hacker community, depending on who you talk to.

News.com reports that hackers are snubbing the SDMI's 'hacking contest'.

"But Linux Journal's Marti said that many expert hackers, including hacking superstars who cracked the encryption codes on DVDs, had agreed not to participate in the SDMI's challenge."

However a followup article in ZDNet claims

A threatened Linux community boycott doesn't seem to be putting a chill on a hacking challenge sponsored by the music industry.

Interestingly enough, Linux Journal's Don Marti is quoted in both articles, with a hardened stance in the first and a softer in the latter after a talk with SDMI's executive director Leonardo Chiariglione. The Economist also reported on the "crack SDMI" challenge.

"Writing in the Linux Journal, one programmer, Don Marti, called upon his fellows to boycott the contest rather than do SDMI's dirty work for it by offering what is, in effect, free consulting. And many hackers, including Eric Raymond, the guru of open-source software, object to helping this particular enemy on the grounds that if SDMI succeeds, it will prevent legitimate 'fair use' copying of music as well as preventing piracy."

Linux security quick reference card. Dave Wreski announced the Linux Security Quick Reference Card from LinuxSecurity.com. The cards are currently in PDF and Postscript formats and are now part of the Linux Documentation Project.

Caldera security update to LPRng. Chris Evans reported to BugTraq on a format string bug in LPRng that almost certainly exposes a system to remote-root access. The first posted update related to this problem came from Caldera, who issued this security update to the LPRng print system which fixes the problem.

Because of the remote exploit possibility with this problem you can expect to see updates from most major distributions in the coming week. Updating LPRng with these updates, when available, is highly recommended.

Chris later posted a simple test he ran to find this vulnerability, something many people may find useful in doing their own search for similar format string problems.

eSound /tmp file vulnerability. Linux-Mandrake was the first distribution to post a security advisory and updated packages to BugTraq for esound that address that packages use of domain sockets in the /tmp directory.

Versions of esound prior to and including 0.2.19 create a world-writable directory in /tmp called .esd which is owned by the user running esound. This directory is used to store a unix domain socket. The socket is also created world-writable, so a race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable.

Security Reports

SuSE 6.4 httpd configuration. An apparent configuration problem may exist with the httpd.conf file as provided in SuSE 6.4 distributions. The configuration allows visitors to a site to peruse the packages installed by viewing the /usr/doc/packages directory. The fix is simple enough - apply directory specific deny rules for the /usr/doc/packages directory.

SuSE, monitoring the BugTraq announcement, was quick to provide a modified configuration to address this issue. Alternative configurations were offered to BugTraq.

The key is to determine a policy for who should be allowed access to those directories and implement the policy with the appropriate Apache Location rules.

Commercial products. The following commercial products were reported to contain vulnerabilities:

• Extent RBS - failure to check for directory traversals when reading images causes this web server to be open to malicious users.

DoS possible with nmap in OpenBSD. A vulnerability in nmap on OpenBSD was reported to BugTraq this past week that involves the protocol scanning option (-sO). Empty AH/ESP packets sent to OpenBSD 2.7 can put it into debug mode, followed by a kernel panic. The problem appears to only be related to OpenBSD, as both Linux and FreeBSD were specifically found to not be vulnerable.

09/28 Correction: The problem here is with OpenBSD's handling of these packets, not with nmap itself.

Updates

Update to Cisco PIX issue. Ioannis Migadakis posted to BugTraq that the recently reported SMTP content filtering problem in Cisco PIX Firewall's was not a new issue.

It has been posted to BUGTRAQ on 9 Jul 2000 by Lincoln Yeoh with a title "Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies"

However, the original post did not say anything about Cisco PIX.

Meanwhile, as suggested in last week's Security Reports, Cisco has come out with fixes for this problem.

Update to IMP vulnerability. Conectiva posted a fix for the previously reported format string vulnerabilities in IMP/Horde. Previous updates:

• Debian (September 14).

Update to xpdf race condition exploit. Linux Mandrake posted an addendum to its previous update for this problem. This version resolves an incorrect dependency in the t1lib package from previous udpates to the 6.x and 7.0 releases of Linux Mandrake.

Other previous updates for this problem:

• Debian (September 14th)
• Caldera (September 14th)
• Conectiva (September 14th)
• Red Hat (September 21st)

Security updates to sysklogd. Yellow Dog has wandered in with a security update to sysklogd, fixing the format string vulnerability in that package.

MandrakeSoft has issued a new security update to sysklogd which supersedes the original, September 18 update. This version includes an additional fix that is worth having.

SuSE noted that ftp server problems caused older versions of syslogd packages to be provided instead of the recently released patched versions.

Previous updates for this problem (all from last week):

• Red Hat
• Conectiva
• Slackware
• Linux-Mandrake (original)
• Debian
• Immunix
• SuSE
• Caldera
• Trustix

Resources

Updated security tools. Here are some Open Source security tools which were announced, released, or for which minor updates have been made available in the past week:

• Cryptcat - A verstion of netcat with encryption.

Resource announcements. Here are some other announcements related to Linux security that were made this past week.

• SecurityPortal now has a linux security mailing list. The list is moderated, and is intended to be a reliable and complete source of security alerts.

Events

Upcoming security events and announcements.

• Call for Papers, Computer Security Mexico

Section Editor: Liz Coolbaugh

Secure Linux Projects
Bastille Linux
Immunix
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

Next: Kernel