[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

Denial of Service Attacks continue to escalate. Last week, we mentioned a CERT advisory about the increased presence of automated tools to facilitate Denial-of-Service attacks. CERT has issued a new advisory on developments in this area, partially in reaction to this detailed analysis of one such DOS tool, "stacheldraht", by David Dittrich.
In late June and early July of 1999, one or more groups were installing and testing trinoo networks and waging medium to large scale denial of service attacks employing networks of over 2000 compromised systems. These attacks involved, and were aimed at, systems around the globe.

In late August/early September of 1999, focus began to shift from trinoo to TFN, presumed to be the original code by Mixter. Then in late September/early October, a program that looked a lot like the TFN agent, known as "stacheldraht", began to show up on systems in Europe and the United States.

Both Solaris and Linux are target platforms for "stacheldract", even though Solaris appears to be the more popular platform for it at the moment. The key to this attack is the ability to find literally thousands of exploitable sites from which to launch Denial-of-Service attacks on the intended victim. As a result, the primary defense against it is to increase security awareness and improve practices on all sites, as well as to increase intrusion detection measures, so that exploited sites can find out they have been impacted and address the problem. A perl script called "gag" is referred to in David's analysis and can be used to detect the presence of stacheldraht on your machine.

The issues are complex, so we won't try to reproduce the work of CERT and others, but instead direct your all to their advisory above for more information.

DNS Insecurity. No, this isn't a yet-another bind vulnerability. This issue is the use of email to allow modifications to your registered domain information. Email-spoofing is easy and now being actively used to modify domain name service information for registered domains. A number of such incidents were reported to the SANS Institute, during their Y2K alert program. SecurityPortal.com's Kurt Seifried has written this editorial on the topic, outlining your option to add password or PGP protection to your DNS records with your registrar, if you are working with Network Solutions.

Security Reports

Majordomo vulnerabilities. SuSE has sent out an announcement that the Majordomo mailing list manager has a number of security vulnerabilities. Unfortunately, Majordomo is not entirely free software, so SuSE is currently unable to distribute a fix. Majordomo installations on other distributions and operating systems will be equally vulnerable. Until a fix is made available, removing execution permissions for "other" (chmod o-x) is recommended. For more information, check out BugTraq IDs 903 and 902.

PHP 3.X vulnerability. An exploitable vulnerability has been reported in PHP 3.X's 'safe_mode'. More information and a workaround can be found in the BugTraq database.

Zope security update released. A security update to Zope has been announced. The vulnerability looks like a nasty one; those running publicly-available Zope-based sites will want to apply it at the earliest opportunity.

vibackup.sh. The vibackup.sh script, reportedly used on OpenBSD, FreeBSD and Debian GNU/Linux, insecurely removes files. This has apparently been replaced in OpenBSD 2.6 and a fix for stable and current versions of FreeBSD has gone in. No word from Debian has been seen as of yet.

Commercial reports. Cisco reported a Kerberos Client Authentication Failure for Cisco products with Kerberos authentication enabled.

Netscape Fasttrack 2.01a is reported to have a vulnerability that makes the uid of the httpd daemon exploitable.

Altavista has provided a patch for the security vulnerability reported in BugTraq ID 896. This vulnerability can allow the password for the remote administration utility to be retrieved.

Updates

usermode and pam. Red Hat has issued an update to usermode and pam which fixes a bug in the userhelper program that can allow a local root exploit. Note that the advisory recommends upgrading the package with the "rpm -Uvh" command. "rpm -Fvh" is probably a better alternative, as pointed out by several people on BugTraq. That will guarantee that the package will not get installed if you have never previously installed it.

Resources

Secure Programming for Linux HOWTO. Developers will want to check out David A. Wheeler's just-released document titled "Secure Programming for Linux HOWTO". Issued under the GPL, this 28 page document "provides a set of design and implementation guidelines for writing secure programs for Linux systems. Such programs include application programs used as viewers of remote data, CGI scripts, network servers, and setuid/setgid programs."

Intrusion Detection System Signature Database. Max Vision has announced the availability of arachNIDS, his free, CVE and BugtraqID compatible/searchable database of "attack" signatures.

SHADOW Intrusion Detection System y2k updates. Versions of the SHADOW IDS prior to 1.6 had difficulties with the January 1, 2000 date change. For those people that do not want to upgrade, a workaround has been posted, but an upgrade is recommended.

Saint 1.4.1. This latest minor update to SAINT has been updated to reflect recently reported vulnerabilities. "New checks have been added for an ODBC RDS bug, for an IIS 4.0 buffer overflow, for Calendar Manager service, for sadmind, for Trinoo and for DRAT backdoor. Updates have been made to the checks for DNS, ftpd, ssh, and QPOP...".

Section Editor: Liz Coolbaugh


January 6, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds