[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

Vulnerable CGI scripts. A "theme" in security for the past week seems to have been reports of vulnerable CGI scripts. To demonstrate, below is a list of recent reports:

Why all these advisories? Every CGI programming course taught in recent years hammers hard on the difficulty in properly securing CGI scripts and certainly has warned of the dangers of using unaudited CGI scripts, whether written yourself or acquired off the Internet. This week's spate of advisories appears to have been started as a way to draw attention to the security groups putting out the advisories. However, once the example had been made, additional similar problems were quickly reported.

Lots of functionality has been added to common scripting languages, such as perl, to make it possible to write secure CGI scripts. However, it takes time and effort to learn how to do it right. The list above says that people aren't taking that time; they are writing scripts in a sloppy manner and freely borrowing such scripts from other people without either auditing them or understanding how to fix them if they do.

Now is the time to understand that such scripts not only are insecure, but that exploits for their vulnerabilities are available and are being circulated. Time to make a list of your CGI scripts now and audit them. Don't wait and expect bug fixes and updates from the authors of such scripts; they may not be forthcoming and you'll remain vulnerable in the meantime.

BugTraq Vulnerability Database Statistics. Which operating systems really have the most security problems? Have a look at the BugTraq statistics for a clue. They have made up some charts of how many security problems they have seen on each system over the years. "We leave the interpretation of these numbers to you."

We contacted Security Focus and asked a few questions about the statistics. First, because only Red Hat and Debian were directly listed, yet the sum of "Linux (aggregate)" was clearly higher than the sum of those two, we checked to make sure that Linux vulnerabilities were not being counted twice, just because they were reported on multiple distributions. They are only being counted once.

Second, we checked on how they determined that a particular vulnerability was a "Linux" vulnerability. A specific package is not considered to be "part of Linux" unless it is shipped with a specific Linux distribution. Of course, especially when Debian is included, that is a vast amount of free software, but a package won't be considered part of Linux just because it is possible to compile and run it on a Linux platform.

Last, because we'd love to know, we checked to see if statistics on how many of these vulnerabilities have been fixed were available. They are not, historically, but the ability to track this information has been recently added to the database, so such statistics will be possible to report in the future. Linux developers and distributors: make sure you are getting out fixes and updates for all the reported vulnerabilities. Otherwise, we are all bound to be embarrassed when full statistics on this topic become available.

Bruce Schneier's CRYPTO-GRAM (May 15). This month's edition of CRYPTO-GRAMeditorializes on the need to view security as a process, not a product, with the accompanying analysis of "acceptable risk". It also reports on the Cybercrime Treaty, a proposed treaty of the Council of Europe that would "make it illegal to create, post, or download any piece of software that is "designed or adapted" to break into computer systems", effectively tying the hands of systems administrators and researchers who are working to improve security.

Stoic Distro for the Paranoid (LinuxNews). LinuxNews takes a look at the recent announcement for Nexus, a new secure Linux distribution. "Unlike many currently available Linux distributions, Nexus isn't being promoted as a user-friendly proposition. 'Nexus does not try to appeal to the novice user, or even be usable by him. We sacrifice "ease of use" for power and security.'"

Security Reports

Bad ssh-1.2.27-8i rpms. John McNeely reported to BugTraq a problem with one set of ssh rpms as distributed from the Zedz Consultants web site for Red Hat 6.0 through 6.2. The ssh-1.2.27-8i rpms included a patch for PAM support that allows ssh to be used to log into any valid account. Note that the 1.2.27-7us and 1.2.27-7i rpms, also available, are not vulnerable. OpenSSH is also not impacted by this report. Removing the bad rpms and using unaffected rpms or OpenSSH is recommended. Check the Security Focus vulnerability database for more details.

kscd: KDE CD reader. kscd, the CD player provided with the KDE multimedia package, can be easily exploited to gain root privileges. If you have this package installed, the suid bit should be removed immediately. No official update for kscd has been posted, as of yet.

Netscape Warnings for invalid SSL certificates bypassed. The ACROS Security team posted an advisory detailing how a failure to issue a warning for an invalid SSL certificate, present in Netscape versions prior to 4.73, could be used to grab supposedly secured information from a third site, including potentially credit card information. Netscape has confirmed the problem, fixed it in Netscape 4.73 and made available a Personal Security Manager (PSM) to rectify the problem in older versions. Either an upgrade to 4.73 or the installation of the PSM is strongly recommended.

Netscape tmpfile vulnerability. Netscape versions 4.5 through 4.73contain a tmpfile vulnerability that can be exploited to read alternate files on the system or possibly modify them. For more information, check the SecurityFocus vulnerability database.

Kerberos buffer overruns. Multiple overruns in the MIT and Cygnus Kerberos implementations have been found and some of them have been demonstrated to be exploitable, according to this BugTraq posting. The KTH implementations have been reported not vulnerable. MIT will release krb5-1.2 with fixes for these problems "shortly".

gnapster and knapster vulnerability. A vulnerability has been reported in gnapsterand knapster which can be used to obtain any user-readable file, not just shareable MP3 files. This is the same vulnerability reported last week in FreeBSD's gnapster port in this advisory. Corrected versions of knapster and gnapster were promptly made available.

antisniff. A DNS buffer overflow in AntiSniff, a tool for detecting sniffers on a local network, can be exploited remotely to execute commands as root. L0pht, the original source of the program, has issued an advisory for the problem.

Commercial Vulnerabilities:

Vulnerabilities have been reported with the following hardware:.

Updates

xsoldier. An exploitable buffer overflow has been reported in the xsoldier game.

Linux kernel. UDP and masquerading vulnerabilities have been reported in the Linux kernel 2.2.14 and prior. Note that the Red Hat update appears to also include a fix for knfsd which is not mentioned in the SuSE advisory.

  • Red Hat (2.2.14 plus patches) (old)
  • SuSE (2.2.14 plus patches)

Resources

Security Focus releases Pager 3.0 beta. Pager 3.0 beta is a new product from SecurityFocus that will let you get your BugTraq fix in real time via a direct link to the SecurityFocus.com database. "The pager employs client-side filtering, ensuring the details you provide it about your network setup remain confidential - nothing is transmitted to the Security Focus database server. The source code for the pager is also publicly available, allowing the community to review exactly what the pager does and does not do."

Nessus 1.0. The first complete, stable version of Nessus, a free, open-sourced (GPL-ed), and frequently updated security scanner, has been announced. "Nessus performs as many security checks as you could expect from a commercial security scanner (over 400) and is very up-to-date regarding this issue. It also has its own unique features, such as services recognition (so that a web server running on port 8080 will _also_ be tested), its own scripting language, and many more (see http://www.nessus.org/features.html)".

Events

May/June security events.

May 22-25, 5000. SANE 2000, Maastricht, The Netherlands.

June 12-14, 2000. NetSec 2000, San Francisco, California, USA.

June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA.

June 27-28, 2000. CSCoRE 2000, "Computer Security in a Collaborative Research Environment", Long Island, New York, USA.

Section Editor: Liz Coolbaugh


May 18, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds