![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Tue, 25 Jul 2000 11:26:43 -0500
From: InfoSec News <isn@C4I.ORG>
Subject: [ISN] Linux Security Week, July 24, 2000
To: ISN@SECURITYFOCUS.COM
Forwared by: Dave Wreski <dave@guardiandigital.com>
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 24, 2000 Volume 1, Number 13 |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security
headlines and system advisories.
This week, advisories for the nfs-utils vulnerability were released.
Although there are currently no known exploits for this bug, in
theory, it can be used for gaining root access remotely. Advisories
for nkitb, LISTSERV, wu-ftpd, gpm, and dhcp were also released.
In the news, a paper titled "Deploying Portsentry" provides a
step-by-step guide to setting up the popular port-scan detection
package, Portsentry. The paper explains how to configure the
portsentry.conf file, advanced stealth options, advanced_exclude
response options, and how to configure external commands (retaliation
scripts). If you have not installed portsentry, you may want to
consider obtaining it.
http://www.psionic.com/abacus/portsentry/
Our feature this week, "Advanced Access Control with the Trustees
Project," by Dave Wreski, is an interview with Slava Zavadsky
regarding the work his organization has done. The Linux Trustees
Project is an effort to create improved access control and advanced
file permission management similar to other operating systems.
http://www.linuxsecurity.com/feature_stories/feature_story-60.html
Our sponsor this week is WebTrends. Their Security Analyzer has the
most vulnerability tests available for Red Hat & VA Linux. It uses
advanced agent-based technology, enabling you to scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.
http://www.webtrends.com/redirect/linuxsecurity1.htm
HTML Version Available: http://www.linuxsecurity.com/newsletter.html
---------------------
Advisories This Week:
---------------------
* Mandrake: dhcp vulnerability
July 22nd, 2000
All versions of the ISC DHCP client program, dhclient, are vulnerable
to a root attack by a corrupt DHCP server. This version fixes the
vulnerability. Versions of Linux Mandrake prior to 7.0, while
including the ISC DHCP server, do not include the DHCP client and are
therefore not subject to this vulnerability.
http://www.linuxsecurity.com/advisories/mandrake_advisory-573.html
* RedHat: Updated PAM packages are available
July 22nd, 2000
Workstations running a display manager may potentially allow remote
users to access console devices.
http://www.linuxsecurity.com/advisories/redhat_advisory-574.html
* RedHat: UPDATE: nfs-utils vulnerability
July 21st, 2000
The rpc.statd daemon shipped in Red Hat Linux 6.0, 6.1, and 6.2
contains a flaw that could lead to a remote root break-in. Version
0.1.9.1 of the nfs-utils package corrects the problem. Although there
is no known exploit for the flaw in rpc.statd, Red Hat urges all
users running rpc.statd to upgrade to the new nfs-utils package.
http://www.linuxsecurity.com/advisories/redhat_advisory-572.html
* Caldera: DoS in gpm
July 20th, 2000
There are security problems within gpm (General Purpose Mouse support
daemon) which allow removal of system files and also exhibit a local
denial of service attack.
http://www.linuxsecurity.com/advisories/caldera_advisory-571.html
* Caldera: rpc.statd information
July 19th, 2000
Recently, a vulnerability was discovered in the rpc.statd server,
which can be used to obtain root privilege remotely. rpc.statd
should not be confused with rpc.rstatd. The former implements the
Network Status Monitor protocol, which is used by the NFS locking
functionality. The latter allows remote clients to query a host's
statistics (such as load average etc).
http://www.linuxsecurity.com/advisories/caldera_advisory-569.html
* Mandrake: nfs-utils vulnerability
July 19th, 2000
A bug recently discovered in the nfs-utils package can theoretically
be used for gaining remote root access. While there are currently no
known exploits for this bug, we recommend upgrading to the latest
version which fixes the bug.
http://www.linuxsecurity.com/advisories/mandrake_advisory-568.html
* TurboLinux: wu-ftpd-2.6.0 and earlier
July 19th, 2000
A buffer overrun exists in wu-ftpd versions prior to 2.6.1. Due to
improper bounds checking, SITE EXEC may enable remote root
execution, without having any local user account required.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-570.html
* Trustix: nfs-utils vulnerability
July 18th, 2000
A bug recently discovered in the nfs-utils package can theoretically
be used for gaining remote root. While there is currently no known
exploits for this hole "in the wild", we suggest that all users of
Trustix Secure Linux 1.0x and 1.1 upgrade.
http://www.linuxsecurity.com/advisories/other_advisory-566.html
* Mandrake: usermode vulnerability
July 18th, 2000
A bug existed in the usermode package that permitted users to reboot
or halt the system without having root access. This update removes
those files associated with allowing users access to reboot,
shutdown, halt, or poweroff the system.
http://www.linuxsecurity.com/advisories/mandrake_advisory-567.html
* LISTSERV web archive remote overflow
July 18th, 2000
The L-Soft LISTSERV web archive (wa,wa.exe) component contains an
unchecked buffer allowing remote execution of arbitrary code with the
privileges of the LISTSERV daemon.
http://www.linuxsecurity.com/advisories/other_advisory-565.html
* Stalker CommuniGate Pro vulnerability
July 18th, 2000
CommuniGate provides a useful mapping to access the Web User Guide,
which maps the URL /Guide/ to a directory in the CommuniGate sub
tree. The built-in web server suffers of the well-known "../.." web
server problem. If we request a document from the administrative web
server /Guide/ mapping, using the "../.." technique, we get to see
the file contents
http://www.linuxsecurity.com/advisories/other_advisory-564.html
* RedHat: Updated package for nfs-utils available
July 17th, 2000
The rpc.statd daemon in the nfs-utils package shipped in Red Hat
Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a remote
root break-in.
http://www.linuxsecurity.com/advisories/redhat_advisory-562.html
* SuSE: nkitb vulnerability
July 17th, 2000
It may be possible for an attacker to modify his/her DNS record to
execute abitrary machine code as root while connecting to the
standard ftp daemon.
http://www.linuxsecurity.com/advisories/suse_advisory-561.html
* Conectiva: nfs-utils vulnerability
July 17th, 2000
There is a problem in the nfs-utils packag that could lead to a
remote root exploit.
http://www.linuxsecurity.com/advisories/other_advisory-563.html
-----------------------
Top Articles This Week:
-----------------------
Host Security News:
-------------------
* Deploying Portsentry
July 21st, 2000
And then it dawned on me that by simply scanning subnets your
average script kiddie didn't need to know what my site was all about
at all. He or she could just scan en masse for open ports and an easy
way in and then plant a root kit for laughs or turn my machine into
a spam forwarding station. I got a copy of SATAN and ran it against
my own site. I was astonished. Every port, that could be, was open
and identifiable to anyone on the internet.
http://www.linuxsecurity.com/articles/host_security_article-1181.html
* Tech View: How 'buffer overflow' attacks work
July 20th, 2000
A "buffer overflow" attack deliberately enters more data than a
program was written to handle. The extra data, "overflowing" the
region of memory set aside to accept it, overwrites another region
of memory that was meant to hold some of the program's instructions.
The values thus introduced become new instructions that give the
attacker control of the target computer.
http://www.linuxsecurity.com/articles/server_security_article-1175.html
* Maximizing Apache Server Security
July 19th, 2000
An extensive article on Apache security. However, does "free" come
at a price when it comes to security? It doesn't have to. The
diligent network manager will quickly recognize the advantages of
choosing a platform that is field-tested on more than six million
Web servers and runs on 17 operating systems.
http://www.linuxsecurity.com/articles/server_security_article-1167.html
Network Security News:
----------------------
* Why Do I Have to Tighten Security on My System?
July 20th, 2000
Again and again, when considering system security, people tell me, "I
already patch my system." I try to explain to them, as I will here,
why they're still vulnerable, even if they patch and read BugTraq
regularly.
http://www.linuxsecurity.com/articles/host_security_article-1168.html
* Security guru: Napster a security risk
July 20th, 2000
Corporate networks that allow Napster downloads are sitting ducks
for hackers, says one network security expert. "We call it risky
Internet behavior," says Chris Rouland, director of research at
Atlanta-based Internet Security Systems Inc., a leading computer
security firm.
http://www.linuxsecurity.com/articles/host_security_article-1174.html
* Secure Directory Services for E-Business, Part 3
July 19th, 2000
The threats to a directory are many, and if appropriate safeguards
are not maintained, a company may not even know when a directory has
been compromised. The primary threats include theft, destruction and
alteration of information (including user privileges.)
http://www.linuxsecurity.com/articles/network_security_article-1166.html
* IPSec - We've Got a Ways to Go
July 19th, 2000
IPSec, supposedly the next great thing that will fix most (if not
all) our network security problems. No longer will attackers be able
to sniff network traffic, hijack connections or spoof servers.
Hijacking domain names will be impossible with DNSSEC, and
redirecting people to fake Websites will be a thing of the past. Or
will it? There are currently a lot of problems and shortcomings with
IPSec that prevent the majority of network traffic from being
encrypted.
http://www.linuxsecurity.com/articles/network_security_article-1160.html
* RootPrompt: My experience with being cracked
July 19th, 2000
I emailed my findings to the systems admin and the owner of the ISP,
including the backdoor password and how to use it, with the
suggestion that they should backup everything, wipe the machine, and
load a current version of Red Hat (6.0 at the time) with the latest
patches. They replied that they would look into it."
http://www.linuxsecurity.com/articles/host_security_article-1163.html
* ADSL fundamentally insecure - BT
July 18th, 2000
The head of broadband services at BT has acknowledged that its
implementation of ADSL lacks security and it will be up to third
parties to ensure customers' data is unhackable. Chris Gibbs, who
is masterminding the introduction of ADSL in the UK for BT, said that
the use of a fixed IP address in the implementation it expects to
roll out early next year, meant that unless steps were taken by its
third-party resellers, data on users' PCs could be accessed by
hackers.
http://www.linuxsecurity.com/articles/network_security_article-1151.html
Cryptography News:
------------------
* Encryption export policies updated
July 17th, 2000
The United States on Monday announced an update to its encryption
export policy affecting companies that sell encryption software to
users in the 15 European Union nations and in eight other countries
that are U.S. allies.
http://www.linuxsecurity.com/articles/cryptography_article-1150.html
* Administration Announces New Encryption Regulations
July 17th, 2000
The Clinton administration today said it plans to change laws
governing the export of powerful encryption technologies to allow
export of all information-scrambling products to any end user in the
European Union and to eight other trading partners.
http://www.linuxsecurity.com/articles/government_article-1143.html
Vendor/Product/Tools News:
--------------------------
* Check Point surpasses results, sees gains
July 21st, 2000
Surging demand for secure Internet connections helped online security
company Check Point Software Technologies Ltd. (CHKP.O) more than
double its earnings in the latest quarter, beating forecasts, the
company said on Wednesday.
http://www.linuxsecurity.com/articles/vendors_products_article-1177.html
* Biometrics Meet Wireless Internet
July 19th, 2000
Identix Inc. - a Motorola Inc.-funded maker of fingerprint
identification devices - last week launched a division that will
offer biometric authentication services to wireless and Internet
service providers. The technology will allow customers of wireless
services and products to authenticate their identities when
conducting electronic transactions, according to Identix.
http://www.linuxsecurity.com/articles/vendors_products_article-1162.html
* Signing Up to Be Surveilled
July 18th, 2000
One company is making it easier for folks to "track" anyone, by
allowing them to pull up a map of the person's location on a personal
digital assistant (PDA) or computer. Fleet Tracking lets businesses
such as taxi companies and delivery services keep tabs on their
employees. L411, a consumer-oriented directory assistance, allows
subscribers to call switchboard operators who can view a map and
identify where a call is being made from.
http://www.linuxsecurity.com/articles/privacy_article-1152.html
General News:
-------------
* Banning secret workplace snooping
July 21st, 2000
A group of bipartisan lawmakers introduced a bill today that would
ban companies from secretly monitoring employees' electronic
communications. The bill wouldn't prohibit companies from snooping,
but would require them to disclose their monitoring practices to
employees when they are hired and to update them on an annual basis.
http://www.linuxsecurity.com/articles/privacy_article-1182.html
* Fighting a losing battle on the front lines of security
July 20th, 2000
You sacrifice convenience for security and security for convenience.
For which goal was your computer network built? In the realm of
human endeavor, there is usually a simple logic applied to the
process of building things. This logic is seen in the way houses,
computers, a even cans of mandarin oranges are built.
http://www.linuxsecurity.com/articles/general_article-1173.html
* .comment: Service Security -- Where Is It?
July 19th, 2000
I have a bone to pick with most, maybe all, Linux distributors: Why
in the world do they ship such security nightmares? To their
credit, many stay on top of security issues, sending urgent messages
to registered users and mailing list subscribers when a potential
security exploit is found in a particular package, along with
workarounds, updated packages, or both.
http://www.linuxsecurity.com/articles/general_article-1165.html
* ACLU Requests Source to 'Carnivore'
July 19th, 2000
In what may be the first request of its kind, the American Civil
Liberties Union is asking the Federal Bureau of Investigation to
disclose the computer source code and other technical details about
its new Internet wiretapping programs. (Carnivore)
http://www.linuxsecurity.com/articles/privacy_article-1164.html
* How to be stupid by mutual agreement
July 18th, 2000
A reader was somewhat surprised by his ISP's apparent disregard for
security when he received an email requesting his username and
password. The request came as part of an update email from
themutual.net, telling him what news features had been added, what
its "partners" could offer them and why themutual.net was the only
ISP he should even consider. Fair enough.
http://www.linuxsecurity.com/articles/privacy_article-1155.html
* EarthLink claims Carnivore can cause technical problems
July 17th, 2000
Saying it could cause technical problems and bring part of its system
down, EarthLink Inc., one of the country's largest Internet service
providers (ISPs), has reportedly refused to install a new FBI
electronic surveillance device on its network.
http://www.linuxsecurity.com/articles/privacy_article-1138.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".