[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and Editorials

Data privacy and the file that wouldn't go away. Most of you are already familiar with the idea that files don't really disappear when you delete them. They get "dereferenced", e.g., the space on the disk where they were stored becomes available for writing new data, but the old data doesn't automatically go away. Normally, this is not a critical issue for the average user. In fact, many utilities have been written over the years to take advantage of this feature -- allowing an unwary user to "undelete" that file that they really hadn't meant to delete in the first place.

However, in a security-critical facility, everything changes. It is absolutely critical to know that a file, once deleted, is really, really gone. This problem isn't specific to computers, of course. Paper shredders were created to deal with this same issue in the paper office. Recovering information from a piece of paper that has been burned is an old trick in the detective/mystery writer business. If you're really, really serious about it, you dissolve the paper with acid, then mix with other fluids, then flush the results down the toilet -- everyone knows that, right? No, but presumably if you're in a business where the issue is important, you've learned.

So someone in a sensitive industry using the computer also knows that something extra must be done to "really" delete a file. There are a variety of options for this under Linux. One program to do this which was shipped with Red Hat Linux 6.2 is called "shred". The man page describes it as a utility to "Delete a file securely, first overwriting it to hide its contents." Unfortunately, it turns out that shred doesn't do a very good job. In fact, shred is so bad at what it does that its own author has abandoned the program, asking archive sites to remove it entirely. If you've been using shred, guess what, the files you thought you deleted may still be wandering around your disk.

The news isn't all bad; another program called Wipe is available to do the same thing and appears to be much more highly regarded. However, to demonstrate just how difficult the job is, Wipe's home page starts out with a warning that even Wipe won't be effective unless you disable the write cache on your disk and, under Linux, mount your filesystem with the "mand" option (to get kernel-enforced mandatory file locking). That's just the beginning, though, as noted by Alfred Perlstein, who pointed out that data logging filesystems, transactional filesystems, filesystems that perform online defragmentation (FreeBSD-FFS+reallockblks) and filesystems that offer snapshot capabilities may all interfere with the intentions of programs like shred and wipe.

If you've checked for all of those issues, don't forget one more: backups. You could spend a lot of time making sure your file has been deleted from your disk only to discover one or more perfectly good copies on your backup media (you do backups, right?).

Face it, we've optimized disks, filesystems and operating systems to prevent accidental loss of data. As a result, making sure that data really goes away is not easy to do. For most of us, that isn't a problem. For those of you in security-critical environments, be sure to check out your procedures carefully. There is a lot of margin for error.

Sen. Edwards Intro's 'Spyware Control Act' (Newsbytes). Senator. Edwards, a Democrat from North Carolina, introduced a new bill into Congress to address software privacy issues, the "Spyware Control and Privacy Act". Newsbytes covered the new bill and its potential impact. "Under S. 3180, the "Spyware Control and Privacy Protection Act," manufacturers that build spyware into their products must give consumers clear and conspicuous notice - at the time of installation - that the software contains spyware. Such a notice would describe what information would be collected and to whom it would be sent. The spyware would then be forced to lie dormant unless the consumer chooses to enable it."

Redress amounts up to a half million are allowed under the current format of the bill. Note, however, that some of the teeth of the bill is removed by exceptions for technical support and licensing issues.

Maybe I Should Be Afraid of Linux? (SecurityPortal). SecurityPortal looks at Linux and security. "In any case, this is a serious strike against Linux's security as a server operating system. Linux seems to have become the 'number 1 target.' The bulk of the new exploit code is coming out for Linux, even for vulnerabilities present in all Unices." Overall the article is quite positive. (Thanks to Cesar A. K. Grossmann).

This month's CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for October is out. It covers the rise of "semantic attacks," web privacy policies, and the selection of Rijndael for the AES standard. There is also a brief mention of the CueCat fun.

Security Reports

Format string vulnerabilities in PHP. Multiple format string vulnerabilities in PHP 3 and PHP 4, including one involving the use of syslog, were independently reported by two separate parties. Here is the report from Jouko Pynnönen and the advisory from @stake, Inc. These vulnerabilities can be exploited remotely to execute arbitrary code under the web server's identity. The PHP team was notified and has released new versions both PHP 3 and PHP 4 to fix these problems.

Here is the announcement for PHP 4.0.3, the corrected version of PHP4. PHP 3.0.17, the corrected version of PHP 3, is also available for download.

This week's updates:

GnuPG false signature verification. The Gnu Privacy Guard is a complete and free private/public key encryption system. Jim Small reported to BugTraq a problem in how GnuPG handles multiple signatures within a single message. It turns out that GnuPG 1.0.3 and earlier only check a single signature within a message for validity, even if the message contains multiple signatures.

Werner Koch, from the GnuPG development team, posted an acknowledgment of the problem. GnuPG 1.0.4 has, since then, been released and contains the fix for this problem. Anyone using GnuPG will want to upgrade their package as soon as possible.

As another data-point for the need for pro-active auditing for security problems, Werner commented, "This problem has been in GnuPG since the beginning but Jim seems to be the first one who noticed that. We need better auditing folks!"

XFree86 3.3.X Xlib buffer overflow. Another buffer overflow in Xlib in XFree86 3.3.X was reported on BugTraq by Michal Zalewski. It appears that this problem was fixed in XFree86 4.0 over a year ago, but the fix was never backported to XFree86 3.3.X. Ramifications of this vulnerability appear to be limited. No official response or patch has been provided as of yet.

muh IRC bouncer format string vulnerability. muh, a GPL'd IRC bouncer, contains a remotely-exploitable format string vulnerability that can allow the execution of arbitrary code under the identity of the muh user. The problem was reported in this FreeBSD advisory but would affect any system with muh installed. The advisory indicates that the vendor has been contacted and an updated version of muh released. However, information from the muh homepage indicates that only a source patch for the problem is currently available.

NIS/ypbind format string vulnerability. A format string vulnerability has been reported in NIS/ypbind. ypbind is used to request information from a NIS server which is then used by the local machine. The logging code in ypbind-3.3.X is vulnerable to a printf formatting attack which can be exploited by passing ypbind a carefully crafted request. As a result, ypbind can be made to run arbitrary code as root. This is a bad vulnerability; an immediate upgrade is strongly recommended.

The SuSE update below makes interesting reading as it describes the problems that have come up with various versions of the ypbind daemon. As a result, SuSE has not released a fix for ypbind-3.3.X, but instead has updated ypbind-mt (default for SuSE 7.0) and recommends that all customers upgrade to the SuSE 7.0 base and then apply this fix.

This week's updates:

Kondara MNU/Linux update to pdnsd. pdnsd is a small name-server optimized for caching. Kondara MNU/Linux put out an advisory reporting that pdnsd terminates unexpectedly after receiving an illegal packet, opening up a potential denial-of-service attack. They provide pdnsd 1.0.11 packages which contain a fix for the problem.

Meanwhile, pdnsd 1.0.12 has been released as well (according to the pdnsd home page), promising more hardening against denial-of-service attacks and "additional security enhancements".

curl buffer overflow. The Debian Project has issued a security update to curl, fixing a buffer overflow problem in that package. Debian has released patched versions of curl and curl-ssl 6.0-1. Meanwhile, curl 7.4.1 has also been announced and includes a fix for a "possible buffer overflow" as well, presumably the same one.

Buffer overflows in ping. Red Hat has issued a security update to ping fixing two buffer overflows and modifying the manner in which ping handles sockets. Note that there are multiple free software versions of ping floating around; the one fixed today was Alexey Kuznetsov's ping, which is part of iputils, as opposed to the ping included in netkit. Chris Evans found most of the problems and worked with Alexey to get them fixed. Presumably, any other distribution that is using Alexey's ping will also need to put out an update.

FreeBSD update to fingerd. FreeBSD has issued an update to fingerd to fix a security problem specific to FreeBSD.

Authentication failure in cmd5checkpw 0.21. cmd5checkpw is an authentication module that implements the CRAM-MD5 authentication mode. Designed to work with qmail, it can be used by other programs as well. Javier Kohen has reported an input validation error in cmd5checkpw which, when used in conjunction with a version of qmail-smtpd that has been patched to add SMTP AUTH support, can cause a segfault when a non-existent username is used. In turn, the patch to qmail-smtpd will interpret this segfault as a successful validation. cmd5checkpw 0.22 fixes the error in the authentication module and qmail-smtpd-auth 0.26 fixes the problem in the qmail patch.

Web scripts. The following web scripts were reported to contain vulnerabilities:

  • Auction Weaver LITE 1.0 - 1.04 perl-based CGI scripts contain vulnerabilities that could allow remote attackers to create, read, or delete arbitrary files using the privileges of the Auction Weaver uid. Auction Weaver 1.05 has been released with fixes for these problems.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • Anaconda Foundation Directory contains a directory transversal vulnerability. The vendors have been notified but have not yet responded.
  • Half-Life Dedicated Server is reported to contain an exploitable buffer overflow that is being actively probed for and used by potential attackers. No response from the vendor has been seen so far.

Updates

gnorpm tmpfile link vulnerability. Check last week's LWN Security Summary for more details.

This week's updates:

Previous updates:

GNU CFEngine format string vulnerability. Root access can be obtained on a local system by exploiting CFEngine's use of syslog and its related format string vulnerability. Check last week's LWN Security Summary for more details.

This week's updates:

Previous updates:

traceroute local root access. A local user can exploit vulnerabilities in traceroute to gain root access. For more information, check the October 5th LWN Security Summary.

This week's updates:

Previous updates:

Apache mod_rewrite vulnerabilty. Files outside the document root can be accessed, if the mod_rewrite module for Apache is in use. For more details, check last week's LWN Security Summary.

Apache 1.3.14 was released this week and contains fixes for this problem. Note, however, that it also broke configurations that use RewriteMaps, because the lookup key is no longer expanded. A patch to fix this has also been released. People upgrading to 1.3.14 will want to make sure that this patch has been applied.

This week's updates:

Previous updates:

ncurses buffer overflow. Check last week's LWN Security Summary for the initial report of this problem. It is surprising that Caldera has produced the only set of package updates for this problem so far.

This week's updates:

ssh/OpenSSH file transfer vulnerability. Check the October 5th LWN Security Summary for the initial report of this problem. Last week, Linux-Mandrake issued updated ssh packages that removed the setuid bit from OpenSSH under the mis-apprehension that this would mitigate this security problem. This week, they've announced the withdrawal of that security update, since removal of the setuid bit did not fix anything and broke some forms of authentication.

LPRng, LPR format string vulnerabilities. Format string problems in LPRng were reported in late September. Updates for LPRng and lpr (for a related problem) continue to be published.

This week's updates:

Previous updates:

xpdf symlink race condition. Check the August 31st Security Summary for the original report.

This week's updates:

Previous updates:

tmpwatch fork bomb denial-of-service vulnerability. Check the September 14th LWN Security Summary for details. A local root compromise problem turned up as well last week; this is fixed in all of the updates below as well.

This week's updates:

Previous updates:

usermode inherited environment variable vulnerability. Check last week's LWN Security Summary for details.

This week's updates:

Previous updates:

Resources

RFPolicy 2.0. An updated version of RFPolicy (Rain Forest's Policy) has been released. This is a widely-discussed full disclosure policy is well worth reading for those of you new to security reporting (as well as those of us who aren't new). Of course, no organization enforces this policy, but it does outline widely-accepted practices for both vendors and people who have found security problems and wish to report them.

Updated security tools. Here are some Open Source security tools which were announced, released, or for which minor updates have been made available in the past week:

  • VLAD the Scanner - An open source scanner that checks for the SANS Top Ten security vulnerabilities commonly found to be the source of a system compromise. It has been tested on Linux, OpenBSD and FreeBSD.

Events

Summercon 2001 - Request for Proposals. Summercon 2001 has issued its Request for Proposals for their next event, schedule June 1st through the 3rd, in Amsterdam, the Netherlands. "For those of you who do not know about Summercon, it is the oldest of the living security/hacker conferences. Its origins are well tied to the early years of Phrack Magazine."

Upcoming security events.
Date Event Location
October 29-November 2, 2000. SD 2000 (Software Development Conference) Washington D.C., USA
November 1-3, 2000. Compsec 2000 Westminster, London, U.K.
November 1-4, 2000. 7th ACM Conference on Computer and Communication Security Athens, Greece.
November 3-5, 2000. PhreakNIC v4.0 Nashville, TN, USA.
November 8, 2000. Security Forum 2000 Vancouver, British Columbia, Canada.
November 13-15, 2000. CSI 27th Annual Computer Security Conference and Exhibition Chicago, IL, USA.
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


October 19, 2000


Secure Linux Projects
Bastille Linux
Immunix
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds