[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

Process hiding in the 2.3.X kernel series? Pavel Machek posted a note to BugTraq about possible process hiding in the 2.3.X development kernel series. Pavel Kankovsky forwarded this concern to the security audit mailing list pointing out that the vulnerability had come about as a result of work done to close the kernel against pid recycling attacks.

Some background: /proc/NNN inodes in 2.3 keep a pointer to task_struct (earlier versions used a pid computed from an inode number to look up that pointer during every fs operation). This makes /proc in 2.3 resistant against pid recycling attacks because old fds would always access the original zombified task_struct (that is garbage collected when its reference count drops to zero). Unfortunately, it makes /proc vulnerable to these attacks put upside-down: because the old task_struct pointer is stored in the inode, new fds access the old process as well until the kernel gets rid of the inode but this will not happen until all old fds are closed.

This concern was originally posted to linux-kernel, but garnered no response as of yet. A bit of careful thinking will be needed to fix this problem properly without reintroducing the older vulnerability or creating yet another new one.

Obstacles to Cryptographic Code Exportation Lifting. This LinuxMall article responds to the governmental relaxation regarding cryptographic export regulations. "While encryption restriction and patent law issues are not completely resolved yet, the playing field with the rest of the world is levelling. Better still, the Open Source and Cryptographic software communities are finally seeing real progress in these areas."

Developers Blasted on Security. Rich Pethia, director of the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, blasted software developers for marketing flawed software in an address to a Congressional panel covered in this Wired news article. "Pethia did not criticize any companies by name in his prepared statement to the panel." Very tactful of him ...

Building a Robust Linux Security Solution (Network Magazine). Here's a Network Magazine article on building secure Linux systems. "If you want to grant your remote users VPN access to your Linux gateway, but you don't want to install (or maintain) IPSec software on their laptops, you are in luck: PopTop is a freely available Point-to-Point Tunneling Protocol (PPTP) server that can act as an end-point for VPN sessions from standard Windows desktops." (Thanks to Flemming S. Johansen).

Security Reports

abuse.man web manager kit. abuse.man is a perl-CGI script for managing virtual hosts. A vulnerability in abuse.man has been reported which can allow both remote and local users to execute arbitrary commands on the webserver. The manufacturers website has been notify. Disabling abuse.man or patching it to use relative links instead of absolute paths is recommended, but no patch has been provided.

FreeBSD posted advisories this week for the orville-write port, (local root compromise) and lynx, (remote execution of arbitrary code). They provide a simple workaround for the orville-write port, but recommend removing lynx from the system altogether. "The lynx software is written in a very insecure style and contains numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) exploitable by a malicious server."

Lynx problems were most recently discussed in the September 23rd, 1999 LWN Security Summary, at which point SuSE and Yellow Dog Linux provided updates for this program.

Exploits for the pam-0.68-7 package are being passed around for both Red Hat 6.X and Mandrake 6.X. RPMs for pam-0.68-10 have been around for two months, guys. If you have not already updated, you need to do so now. A note to people using automated tools such as autorpm for installing Red Hat updates: Red Hat has not been linking new updates into the older directories, just providing links to the latest directory in their advisory. As a result, your tools may not be picking up all the updates that they need. The updates for pam-0.68-10 and usermode-1.18 are examples of this.

The Apache project: Jakarta Tomcat. A serious bug has been reported when Tomcat and the Apache web server are used together in order to serve Java Server Pages and Java servlets. Tomcat 3.1 beta 1 has all required fixes applied.

Commercial updates. Cisco has issued an advisory concerning their Secure PIX Firewall concerning its handling of FTP server and client commands which can lead to inappropriate connections being made across the firewall. A fix has been made for its handling of FTP server commands, while the FTP client issue still being worked on. For additional information, check out the BugTraq thread on Extending the FTP "ALG" vulnerability to any FTP client. Note that other firewall products are also likely vulnerable.

Updates

The following issues have been previously discussed, but new updates have been made available for them in the past week.

mh/nmh. See discussion in the March 9th, 2000 LWN Security Summary.

mtr (multi-traceroute). See discussions in the March 16th, 2000 LWN Security Summary.

dump/restore. See discussion in the March 9th, 2000, LWN Security Summary. This is the first distribution update seen for this problem.

Overall, updates for specific Linux distributions appear to be coming more slowly, not more quickly. Of equal concern, the updates that are coming out are not getting installed (witness the pam discussion above). As a result, we are all losing ground as far as security is concerned.

Resources

Shaft DDOS tool analysis. An analysis of shaft, yet another distributed denial-of-service tool like Trinoo, TFN, Stacheldraht, and TFN2K, has been made available by Sven Dietrich at the NASA Goddard Space Flight Center and others.

Security Audit FAQ update. An updated version of the Security Audit FAQ has been released. Jeff Graham asked people to note in particular that the address for FAQ submissions has changed to lsap@demit.net.

Events

Call-for-Papers RAID 2000. A last Call-for-Papers for the RAID 2000 conference has been issued. Deadlines start on March 31st, 2000.

Call-for-Papers ACSAC. The call-for-papers for the 16th Annual Computer Security Applications Conference (ACSAC) has been released. ACSAC will be held December 11 - 15, 2000, at the Sheraton Hotel, New Orleans, Louisiana. Deadlines for papers, panels, tutorials and case studies come up in May.

Section Editor: Liz Coolbaugh


March 23, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds