[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and Editorials

So what was different in 2000?. The end of the year has come, and with it, an opportunity to look back on the year from a security perspective. After examining many potential topics and discarding them, the question was asked, what has changed the most since 1999? From the perspective of writing this column, the sheer volume of information that is being reported stands out as the largest change. It is amazing to look back on some of the LWN Security Summaries from 1999 and find some that display in a single page view or contain no more than six paragraphs of information.

It seemed worthwhile to see if we couldn't produce some rough numbers to illustrate this change. To do so, we looked at two pieces of information: the number of open source software vulnerability reports covered and the size of the LWN Security Summary.

Starting with the first item, we quickly scanned through old issues and estimated the number of new vulnerabilities we reported each month for both 1999 and 2000. Lacking a proper database, we make no claims for absolute accuracy. We excluded vulnerabilities in commercial software and web scripts, since our coverage of those issues was not consistent between 1999 and 2000. Given those parameters, we found that the average number of vulnerabilities reported per month in 1999 was 13.67, while the equivalent number in 2000 was 26.41, almost exactly double.

For the second item, we found the average size of a security summary in 1999 to be around 6.2KB, while in 2000, the average was 16.1KB, an even larger growth. Of course, although sizes are easy to calculate accurately, they are less reliable as an indication of increased activity; maybe we are just getting more loquacious.

Nonetheless, our rough numbers strongly back up the assertion that security activity has more than doubled over the past year. Why? Well, like most statistics, you can use them to bolster just about any theory you might have, but our personal guess is that the increase is a simple demonstration of the result of more eyes on the code. Linux and free software is gaining in popularity, more and more people are using and scrutinizing the software, therefore more problems are being found and reported.

However, it does give us a kind of scary feeling about 2001 ...

NSA security-enhanced Linux available. The U.S. National Security Agency has made its security-enhanced version of Linux available for download. The site describes what has been done, though in fairly abstract terms. It's available under the GPL, of course. (See also: Ted Ts'o's comments on Slashdot on this release).

Stephen Smalley also posted an excellent short summary of the features of the Flask architecture, used by Security-Enhanced Linux, and a comparison with RSBAC (Rule Set Based Access Control) for Linux, another Open Source security extension. "RSBAC appears to have similar goals to the Security-Enhanced Linux. Like the Security-Enhanced Linux, it separates policy from enforcement and supports a variety of security policies. RSBAC uses a different architecture (the Generalized Framework for Access Control or GFAC) than the Security-Enhanced Linux, although the Flask paper notes that at the highest level of abstraction, the the Flask architecture is consistent with the GFAC. However, the GFAC does not seem to fully address the issue of policy changes and revocation, as discussed in the Flask paper."

Vendor security information update. Spurred by this excellent post by Matt Power (Bindview) to BugTraq this past week, the security links listed in our right-hand column have had a major overhaul. BSD information has been added, now that our BSD coverage is officially included, and a new section with pointers to web pages that contain subscription information for security and security announcement lists for various distributions is now available as well.

The security of RSA's SecurID token emulator is challenged. SecurID from RSA is a proprietary two-factor Authentication process, utilizing a combination of a password and a security card, on which RSA has based products for remote access and e-business. A SecurID module is available for Apache, for example.

This week, I.C. Wiener published a SecurID token emulator, prompting a discussion on BugTraq of the implications. Adam Shostack commented that such code has been in the wild since 1996 and that its current publication will have the value of allowing a real test of the assertion that the numbers on the SecurID card do not reveal sufficient information to determine the card's secret.

Group crafts rating system for server security (CNet). A new, 71-member organization, the Center for Internet Security, plans to build benchmarks and rating methodologies in order to provide "a "security ruler" defining a minimum level of security and then incrementally greater levels of security from which an organization can choose the desired level of security for its systems". Their plans are covered in this CNet article. Note that the benchmarks are to be released to the public domain.

It will be interesting to see how this venture does. The center itself is not-for-profit, so we presumably shouldn't see expensive fees for getting products or systems "rated" by the center. On the other hand, members of the center will be the ones reviewing and approving new benchmarks and ratings as they come out, so it may well be difficult to both move forward in a timely manner and prevent bias toward member products.

Security Reports

dialog lockfile symlink vulnerability. Matt Kraai reported a symlink problem with the manner in which dialog handles lockfiles. The Debian advisory below is the first and only reference to the problem we have found so far.

This week's updates:

More stunnel vulnerabilities. More stunnel vulnerabilities have been reported, in addition to the ones discussed last week. One such vulnerability involves the logging of the stunnel process id to a non-existent directory. More stunnel updates are being released to address these additional problems.

One additional stunnel vulnerability that apparently does not impact Linux or BSD systems is the reported weak encyrption vulnerability.

This week's updates:

halflifeserver. Multiple buffer overflows and format string vulnerabilities have been reported in the halflifeserver. This week's updates:

Kerberized telnetd. Telnetd's allowance of arbitrary environment variables and a buffer overflow in the kerberos v4 library combined to allow a local root exploit on NetBSD. Note that this problem has not been confirmed on other BSD or Linux systems.

This week's updates:

cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:

  • Technote's print.cgi script was reported to contain a file disclosure vulnerability.

  • bsguest.cg and bslist.cgi from Brian Stanbeck were reported to contain security problems related to the failure to properly filter input data. Both scripts can be manipulated to execute arbitrary commands on the server. Note that Brian appears to have released updated versions of these scripts (and a couple of others) on December 23rd, with a note that some security problems had been fixed.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • BEA WebLogic Server fails to properly check input data, allowing the string ".." (double dot) to be entered. This can be exploited either to execute arbitrary commands or to crash the server. WebLogic Server 5.1 SP 7 contains a fix for this problem. Check BugTraq ID 2138 for more details.

  • Oracle WebDb engine, part of the Oracle Internet Application Server, is reported to contain two vulnerabilities, one allowing an attacker to inject PL/SQL queries and the other allowing unauthorized proxy reconfiguration attempts. Here is Oracle's response, including workarounds and a promise that release 3.0.8 of Portal will address the problems.

  • Two additional problems in Oracle 8.1.7 were reported this past week by Juan Manuel Pascual Escriba, including a local root exploit and a file overwrite exploit.

Updates

GnuPG web of trust circumvention. A couple of new GnuPG security problems were covered in last week's LWN Security Summary. A security patch against gnupg-1.0.4 was also issued.

Note that the discussion last week mentioned two vulnerabilities but only discussed one of them, a problem with trust circumvention. Also fixed with the security patch was a problem with detached signatures, which could cause false-positive verfications.

This week's updates:

Previous updates:

ProFTPD memory leak. Last week, we mentioned a potential memory lead in ProFTPD. After further discussion on the list, the official position is that the bug is not reproduceable.

BSD ftpd single byte buffer overflow. A one-byte buffer overflow was reported last week in the ftpd server provided with BSD.

This week's updates:

Previous updates:
  • Trustix, not vulnerable, but new BSD ftpd packages provided anyway (December 21st)
  • OpenBSD (December 21st)
  • Trustix, BSD ftpd packages updated due to a typo in the original patch (December 21st)

DNS-based IRC server denial-of-service vulnerabilities. Check the December 14th LWN Security Summary for the original report of denial-of-service vulnerabilities and more in multiple IRC clients, including BitchX 1.0c17-2 and earlier.

This week's updates:

Previous updates:

ethereal buffer overflow. Check the November 23rd LWN Security Summary for the initial report of this problem. An update to ethereal 0.8.14 should fix this problem.

This week's updates:

Previous updates:

Resources

ICMP Usage In Scanning. Ofir Arkin has released version 2.5 of his ICMP Usage In Scanning research paper.

Events

RAID 2001 - Call for Papers. The Call for Papers for the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID 2001) has been released. The event will be held October 10-12, 2001, in Davis, CA, USA.

Upcoming security events.
Date Event Location
December 27-29, 2000. Chaos Communication Congress Berlin, Germany.
February 7-8, 2001. Network and Distributed System Security Symposium San Diego, CA, USA.
February 13-15, 2001. PKC 2001 Cheju Island, Korea.
February 19-22, 2001. Financial Cryptography 2001 Grand Cayman, BWI.
February 24-March 1, 2001. InfoSec World 2001 Orlando, FL, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


December 28, 2000

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds