Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsAdore those kernel modules. It seems highly likely the name of the Adore worm was chosen partially because it provides opportunity for so many humorous headlines and off-hand comments. However, there are a couple of points about the Adore worm that did not come to light before we published last week. The most important point is that the Adore worm, unlike the Ramen and Lion worms of which it was considered to be a variant, is the first worm to use a loadable Linux kernel module to hide its tracks. We've been discussing the security impact of loadable kernel modules for some time. For example, in June of 2000, when a loadable kernel module (capcheck) was released in order to close a security vulnerability in the kernel (the 2.2 capability bug). This fix demonstrated the scope of loadable kernel modules, making it pretty much inevitable that rootkits such as Knark and now the Adore worm would make use of them on behalf of attackers. Further back than that, though, we also discussed how the ability to load kernel modules could be disabled on a running system, by removing CAP_SYS_MODULE from the capability bounding set (see the December 2nd, 1999 Kernel Page) for instructions and caveats). Although root has the ability to remove capabilities, only init has the ability to add them. This means that loadable kernel modules can be used initially, when your system is booted, but then they can be disabled, preventing root kits like Knark and worms like Adore from using loadable kernel modules to cover their tracks. This was considered something that only the most security-conscious sites would be interested in back in 1999. Nowadays, it is a configuration option that may want to be seriously considered by Linux distributors, particularly those that are marketing themselves as secure by default. Cybercrime Treaty. A commentary on the International Treaty on Cybercrime from a lawyer's perspective marvels at the lack of attention paid to this bill, which could have enormous implications in terms of requiring law enforcement agencies, phone companies, ISPs and more to comply with evidence orders from nations all around the world. "One moment, an Internet provider might be turning over all Bulgarian folk songs on its system to an investigator. The next moment, it might be searching for e-mail traffic between customers in Latvia and the Ukraine". Federal Computer Incident Response Center contracts out. The Federal Computer Incident Response Center is currently supported by a contract with CERT. According to this report, that will soon change. Day-to-day operations will, instead, be performed by Science Applications International Corp. (SAIC) and its partner Global Integrity Information Security. "The two companies proved their effectiveness during the 'ILOVEYOU' e-mail virus from the Philippines in May 2000. They were able to inform their customer, the Financial Services Information Sharing and Analysis Center, about the virus and how to counteract it hours before even the Defense Department could spread the word to the United States". PGP Security's NAI Labs Partner With NSA. NAI Labs, a division of PGP Security, announced they are joining with the National Security Agency (NSA) and its other partners to further develop the NSA's Security-Enhanced Linux (SELinux) prototype. The $1.2 million deal will be paid over the life of the two-year contract, and the work will focus on research and development to improve the security of open-source operating system platforms Security Reportsntp remotely exploitable static buffer overflow. An exploit for a static buffer overflow in the Network Time Protocol (ntp) was published on April 4th. This exploit can allow a remote attacker to crash the ntp daemon and possibly execute arbitrary commands on the host. Patches and new packages to fix this problem came out quickly. It is recommended that you upgrade your ntp package immediately. If you cannot, disabling the service until you can is a good idea. For more details and links to related posts, check BugTraq ID 2540.This week's updates:
Netscape 4.76 GIF comment vulnerability. Florian Wesch discovered that Netscape 4.76 would display the comment attached to a GIF file, but does not filter the displayed comment in any manner, allowing embedded javascript in a comment to be directly executed. This is apparently fixed as of Netscape 4.77, which is available for download from ftp.netscape.com.IP Filter fragment caching vulnerability. IP Filter is a TCP/IP packet filter used in FreeBSD, NetBSD and OpenBSD. Darren Reed reported a serious vulnerability in IPFilter in which fragment caching can be used to pass through any packet, essentially destroying the function of the firewall. When matching fragments, only the source IP address, destination IP address and IP identification number are checked before the fragment cache is used. This is done before any rules are checked.IP Filter 3.4.17 has been released with a fix for the problem. Check BugTraq ID 2545 for additional details. Multiple FTP daemon globbing vulnerability. The FTP daemons used on BSD (and other Unix) systems have been reported vulnerable to multiple buffer overflows in glob() function. Check the related CERT advisory for more details.web scripts. The following web scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
Updatesptrace/execve/procfs race condition in the Linux kernel 2.2.18. Exploits were released the week of March 29th for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. As a result, an upgrade to Linux 2.2.19 is recommended.Last week, Alan Cox put up the Linux 2.2.19 release notes, finally giving the specifics on all the security-related fixes in 2.2.19 (all thirteen of them!) and giving credit to the Openwall project and Chris Evans, for the majority of the third-party testing and auditing work that turned up these bugs. Fixes for the same bugs have also been ported forward into the 2.4.X kernel series. This week's updates: Previous updates:
VIM statusline Text-Embedded Command Execution Vulnerability. A security problem was reported in VIM last week where VIM codes could be maliciously embedded in files and then executed in vim-enhanced or vim-X11. Check BugTraq ID 2510 for more details.This week's updates: Previous updates:
mailx buffer overflow. Check the March 15th LWN Security Summary for the original report. The buffer overflow is only exploitable if the program is shipped setgid mail.This week's updates:
mc binary execution vulnerability. Check the March 8th LWN Security Summary or BugTraq ID 2016 for more details.This week's updates: Previous updates:joe file handling vulnerability. Check the March 1st LWN Security Summary for the initial report.This week's updates:
Multiple vulnerabilities in splitvt. Multiple vulnerabilities were reported in splitvt in the January 18th LWN Security Summary, including several buffer overflows and a format string vulnerability. An upgrade to splitvt 1.6.5 should resolve the problems.This week's updates:
pico symbolic link vulnerability. Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.This is the first distribution update we've seen for this four-month-old vulnerability. This week's update: ResourcesTrustix Secure Linux 1.4.80. Trustix has announced the release of Trustix Secure Linux 1.4.80, a beta release toward the 1.5 stable version. It is nicknamed "Ooops," and is incompatible with 1.2 in a number of ways; read the announcement closely. Lion Internet Worm Analysis. Max Vision has posted his analysis of the Lion worm and the three variants of it that have been identified so far. (Thanks to Jose Nazario). Security Focus announces Malware Repository. Security Focus announced this week that they will be maintaining a repository of malware samples in order to make such software readily available for analysis. "Initially, the page will contain samples for Ramen, Lion, and Adore, plus anything else that comes out between now and then. We will be maintaining copies of new items from now on, and will not be making an attempt to go back in time to get a complete collection, unless someone wants to volunteer a personal collection". Bastille Linux 1.2.0rc1. Bastille Linux has version 1.2.0rc1, the first release candidate for their upcoming 1.2.0 release. This version is considered stable enough for use on production systems. Detecting Loadable Kernel Modules (LKM). Toby Miller has posted a paper on detecting loadable kernel modules. It goes over the basics of loadable kernel modules, /lib/modules, conf.modules and kstat. Linux Security Module mailing list. Crispin Cowan has announced a new mailing list called linux-security-module. "The charter is to design, implement, and maintain suitable enhancements to the LKM to support a reasonable set of security enhancement packages. The prototypical module to be produced would be to port the POSIX Privs code out of the kernel and make it a module. An essential part of this project will be that the resulting work is acceptable for the mainline Linux kernel" EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
April 12, 2001
LWN Resources | ||||||||||||||||||||||||||||||||||||||||||