[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

TCP/IP initial sequence number weakness. Now, before you read this article, note that we tend to have a slight bias against vulnerability reports that show up first in the media, rather than in technical/security forums (where we think they belong). That said, this week Computerworld published a story on a "security weakness in TCP/IP".

In the article, Guardent, a Waltham, Massachusetts-based security firm, claimed to know of a security flaw in TCP/IP whereby TCP initial sequence numbers that were supposed to be randomized were actually guessable, and could be used to hijack sessions or spoof connections. The company also declined to give additional details, which made evalution of their claims a bit difficult.

However, it appears that Guardent did go on to share their "copyrighted research" with CERT, who in turn has validated the existence of the weakness in this vulnerability note. This note still does not confirm what operating systems are vulnerable, though it has been hinted that Linux might be one of several.

Underlying the weakness is the question of whether a given operating system has implemented RFC 1948 ("Defending Against Sequence Number Attacks") properly. Potential security issues if this was not done have been known since the mid '80s.

Perhaps we should be grateful for Guardent's work to sensationalize this issue, if it results in every operating system auditing its TCP/IP implementation and making needed corrections to it. Nonetheless, the mixture of copyrighted research, secrecy and press exploitation are a bit nauseating. Meanwhile, there do not seem to be any published exploits for this problem as of yet. That makes waiting for vendor advisories and updates a bit more palatable.

Carnivore by any other name ... (ComputerWorld). Carnivore, the FBI's program for "monitoring" email communications of suspected criminals, was reviewed by outside consultants at the instigation of the Justice Department. One of the recommendation of those reviewers was that the name of the program be changed. So we're sure you'll all be much happier about the existence of DCS1000, the program formerly known as Carnivore. Given their choice of a cryptic, non-informational name, we'll take a hefty bet that the moniker "Carnivore" will stick, whether they want it to or not.

Meanwhile, there's no new information on any substantive changes to Carnivore or previous efforts to get them to Open Source the code.

Bad News for Snoops (ZDNet). There's a bit of news about the UK's passage of part three of the United Kingdom's RIP law, or Regulation of Investigatory Powers Act, in this ZDNet article, but the primary focus is on m-o-o-t, which is designed to protect UK citizens from possible abuse of the new laws by the British government. "The self-contained software will be shipped on a bootable CD. User data and mail will be encrypted and stored in offshore data havens, bypassing local storage. Untraceable e-mail and telephony are also in the works".

Security Reports

icecast buffer overflows. This week, several buffer overflows in icecast were reported. As a result, icecast 1.3.9 and 1.3.10 have been released in the past week. Icecast 1.3.9 is chock full of security fixes; icecast 1.3.10 contains additional fixes, but the website does not make a note of whether or not those fixes are security-related. In addition, icecast format string vulnerability reported in the January 25th LWN Security Summary has finally been officially repaired. As a result, this upgrade is strongly recommended.

XFree86 nextaw/xaw3d/xaw95 temporary file issues. Bug fixes for temporary file problems with the AsciiSrc and MultiSrc widget in the Athena widget library are now available to resolve situations where temporary files are handled incorrectly.

sgml-tools temporary file issues. Versions of sgml-tools prior to 1.0.9-15 are reported to handle temporary file creation insecurely. An upgrade to 1.0.9-15 or later is recommended.

slrn buffer overflow. A buffer overflow in the slrn newsreader was found and reported by Bill Nottingham. Check the Debian advisory for more details.

Zope 'aq_inContextOf' method access validation vulnerability. An access validation error in the 'aq_inContextOf' method can be exploited to gain access to Zope objects that should be denied, though they comment that a Zope expert would be required in order to succeed. Zope 2.3.0 alpha, beta and final versions and Zope 2.3.1 beta 1 are all affected. A hotfix has been issued to fix the problem until Zope 2.3.1 beta 2 is released. Applying the hotfix is recommended.

Caldera-specific IMAP/POP vulnerability. Caldera issued an advisory concerning several buffer overflows in imap, ipop2d and ipop3d, which are normally not exploitable, because they could only be used to get access to processes already owned by the uid of the attacker. However, a configuration problem makes it possible instead to gain access to the 'nobody' account and execute arbitrary programs. Updated packages are provided.

mailx buffer overflow. A buffer overflow has been found in /bin/mailx which, if the program is installed setgid, can be exploited locally to gain access to the gid of the binary. No fix for this problem has been reported. The best workaround currently available is to remove the setgid bit, which will still allow it to be used to send mail, but will severely limit other functionality on systems that require group mail for writing to the mail spool directory.

Mesa temporary file link vulnerability. A temporary file link problem has been reported in the Mesa 3-D graphics library by Ben Collins. Linux-Mandrake has issued updated Mesa 3.3 packages with a fix for the problem. Note that Mesa 3.4.1 was released on February 15th, but no mention of a fix for a temporary file link problem is mentioned, so presumably it is impacted as well.

timed denial-of-service vulnerability. FreeBSD has issued an advisory regarding a denial-of-service vulnerability in timed. The timed server crashes when sent malformed packets. Both a patch and updated packages are provided for FreeBSD. This problem is not specific to FreeBSD, but has not been confirmed on other BSD or Linux systems.

rwhod denial-of-service vulnerability. FreeBSD also issued a similar advisory for the rwhod demon.

FTP File System buffer overflow. FTP File System is a Linux kernel module that allows FTP repositories to be mounted locally as VFS file systems. A buffer overflow in FTPFS was reported this week by Frank Denis. The author has been notified. FTP File System 0.2.1 was released yesterday, March 14th. Although it does not reference the security report, the description for the update does say, "Sanity checks on mount parameters were added to prevent overflows", so it might be presumed that the new version resolves this problem.

Updates

ePerl buffer overflows. Check the March 8th LWN Security Summary for the initial report.

This week's updates:

Previous updates:

mc binary execution vulnerability. Check the March 8th LWN Security Summary or Bugtraq ID 2016 for more details.

This week's updates:

Previous updates:

Zope security update. Digital Creations released a security update to Zope (all versions up to 2.3b1) fixing a security vulnerability in how ZClasses are handled the week of March 1st. An upgrade is recommended.

This week's updates:

Previous updates:

joe file handling vulnerability. Check the March 1st LWN Security Summary for the initial report.

This week's updates:

Previous updates:

sudo buffer overflow. Check the March 1st LWN Security Summary for the original report.

This week's updates:

Previous updates:

XEmacs/gnuserv execution of arbitrary code. Check the February 8th LWN Security Summary or BugTraq ID 2333 for details. gnuserv 3.12.1 resolves the problem and is included with XEmacs 21.1.14.

This week's updates:

Previous updates:

Multiple glibc vulnerabilities. Multiple glibc vulnerabilities have been reported in recent weeks in glibc. Since glibc updates generally address all the problems, rather than one specific problem, the update report for them has been combined. For the original reports, check the January 18th, 2001, LWN Security Report under the topics "glibc RESOLV_HOST_CONF preload vulnerability" and "glibc local write/ld.so.cache preload vulnerability".

This week's updates:

Previous updates:

Borland InterBase backdoor. Check the January 18th LWN Security Summary for the initial report. This is the first related advisory we've seen, but note that InterBase is not shipped by default with most distributions.

GNU CFEngine format string vulnerability. Root access can be obtained on a local system by exploiting CFEngine's use of syslog and its related format string vulnerability. Check the October 5th LWN Security Summary for more details.

This week's updates:

Previous updates:

esound tmpfile link vulnerability. Check the September 7th LWN Security Summary for the original report of this problem from FreeBSD.

This week's updates:

Previous updates:

Resources

Minor Bastille testing update. Bastille Linux 1.2.0.pre11 was released this week, the latest in the testing series for this distribution.

KNARK rootkit analysis. Toby Miller has made available his analysis of the KNARK rootkit. "In the past if a box had a rootkit installed, an administrator could comb through the binaries and find traces of the rootkit. Not so in this case. The KNARK rootkit actually hides within the kernel making this rootkit almost impossible to find and analyze. How is this being done? Well, attackers are able to do this by using Loadable Kernel Modules (LKM)."

Events

Registration for the 2001 FIRST Conference now open. Registration for this year's FIRST conference is now open. The conference will take place June 17-22, 2001, in Toulouse, France.

Upcoming security events.
Date Event Location
March 26-29, 2001. Distributed Object Computing Security Workshop Annapolis, Maryland, USA.
March 27-28, 2001. eSecurity Boston, MA, USA.
March 28-30, 2001. CanSecWest/core01 Network Security Training Conference Vancouver, British Columbia, Canada.
March 29, 2001. Security of e-Finance and e-Commerce Forum Series Manhattan, New York, USA.
March 30-April 1, 2001. @LANta.CON Doraville, GA, USA.
April 6-8, 2001. Rubi Con 2001 Detroit, MI, USA.
April 8-12, 2001. RSA Conference 2001 San Francisco, CA, USA.
April 20-22, 2001. First annual iC0N security conference Cleveland, Ohio, USA.
April 22-25, 2001. Techno-Security 2001 Myrtle Beach, SC, USA.
April 24-26, 2001. Infosecurity Europe 2001 London, Britain, UK.
May 13-16, 2001. 2001 IEEE Symposium on Security Oakland, CA, USA.
May 13-16, 2001. CHES 2001 Paris, France.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


March 15, 2001

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds