[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and Editorials

Lessons from the Microsoft network intrusion. By far the most notorious of security news this past week was the admission by Microsoft that their internal network had been compromised, the FBI called in to investigate and the source code to Microsoft Windows and/or other Microsoft products possibly accessed by the intruders. Below, we've listed a compendium of sites that have coverage on the issue, so feel free to glut yourself.

Most of the coverage has looked either at the mystery of who the intruders were, what their intent was, or the possible repercussion. For better or worse, though, these are all speculation; real answers will come later or possibly not at all. We'd like to focus, instead, on the lessons to be learned from this intrusion.

First and foremost, the clearest message we see is that "all bugs deserve to be fixed". We cannot resist pointing out this old, and infamous, interview with Bill Gates in which he states, "There are no significant bugs in our released software that any significant number of users want fixed". The largest "bug", in this case, has been the vulnerability of the various Microsoft operating systems to viruses and the unintended execution of suspect binaries. Rather than fix this fundamental flaw, Microsoft allowed and encouraged an entire industry built on "protecting people" from its impact. Unfortunately, the ease in which new viruses can be developed, or mutated from previous viruses, plus the reality of the amount of personnel resources needed to keep virus databases up-to-date and computers secured, makes a joke of the ostensible purpose of this industry.

The real purpose of the virus-protection software industry is to make money and they were given a wonderful business model for it -- a never-ending supply of new viruses, guaranteeing that people would have to pay money, again and again, in order to "get the latest protection". People didn't end up truly secure, just poorer. In the end, it is poetic justice that Microsoft itself should suffer for its choice. What user cares about having this bug fixed? In this case, Microsoft is one user that must wish this bug had been fixed. They are far from the only one.

Another lesson from this intrusion is the fallibility of the closed source security model. Time and time again, security experts in the Open Source community have warned that security which has not been exposed or scrutinized cannot be counted on. Now with the possibility that the Microsoft operating system code has been exposed, and exposed to people with a track record for exploiting security vulnerabilities, we're about to get a graphic lesson on the topic. Given the wide-spread use of Microsoft products, what country, what company, is not currently wondering what impact this will have on them. Many people believe there are back-doors in Microsoft products -- if there are and the source code has truly been exposed, they will be exploited.

If I were a foreign government, I would be strongly tempted to make an international incident of this intrusion, demanding immediate disclosure of the source code, so that everyone at least has an equal chance of finding security vulnerabilities and protecting themselves against them.

In the end, the final lesson: while access to the source code can't protect you from security problems, it is an essential first step towards security. You can't protect yourself without it.

Press Coverage:

Princeton Team Cracks SDMI (Web Developer). The Secure Internet Programming team at Princeton chose to pick up the SDMI Challenge. As a result, they announced this week their defeat of the SDMI watermark technology, a critical part of SDMI's boasted security.

The Princeton team explained their decision to participate in the challenge in their FAQ, which is well worth a perusal. Here is one quote:

"Still, wouldn't it have been better for opponents of SDMI if you let SDMI go ahead and deploy a flawed technology, so music lovers could teach them a lesson by copying music despite the technology?

Of course not. This is scientific research: it is not our goal to engage in tactics such as tricking the industry into choosing a flawed system. Our goal is simply to analyze security systems and share our results openly with the scientific community.

Again, researchers who crack cryptosystems and security systems are not motivated by a desire to exploit these flaws later. They are merely subjecting systems to analysis, motivated instead by a desire to increase the existing body of knowledge about security systems.

Secondly, if the technology is cracked in deployment, rather than on the drawing board, everyone loses to some extent. The recording industry obviously, device manufacturers most certainly, but even opponents of SDMI. Even pirates! To an opponent of SDMI, even a broken, circumventable SDMI system is worse than no SDMI system at all. "

They go on to discuss the implications of the Digital Millennium Copyright Act (DMCA), which they felt would have made research into the SDMI Security outside the announced contest potentially illegal, and the glaring faults of the contest itself, which did not give contestants access to the software equal to that which a consumer will have if the software is deployed.

Princeton waived the potential reward in return for free disclosure of what they found. We can only hope that their work helps bridge the knowledge gap with proponents of SDMI.

Zero Knowledge marks Freedom milestone (Upside). Mike Shaver, Zero Knowledge's Chief Software Officer and well known Mozilla veteran, wanted to put an open source spin on the company's products. With the release of Freedom 2.0, they've made it official. "Freedom 2.0 is a software tool that lets users encrypt Internet communications and route those encrypted messages through a collection of independent servers which, in turn, add their own layers of encryption. Users who run the client on their desktop machines can use it to manage a collection of pseudonymous identities."

Tripwire Open Source, Linux Edition Now Available. Tripwire, Inc. has released Tripwire Open Source Linux Edition, a project being hosted on Sourceforge.

Interview with AES Winner (LinuxSecurity.com). Vincent Rijmen, co-author of the AES winning algorithm known as Rijndael, is interviewed by LinuxSecurity.com for his thoughts on the development of the Rijndael algorithm, its selection as the NIST algorithm of choice for AES, thoughts on Linux and security, and the future of Internet security. "Vincent Rijmen: ... I think there is an important challenge in making the distinction between complexity and security. Some people still believe that added complexity increases automatically security. This belief should be erased. We should keep on working towards secure and simple systems, that are as easy to understand for the people as a door lock, a sealed envelope, etc."

Security Reports

Samba 2.0.7 SWAT vulnerabilities. Multiple vulnerabilities in SWAT, the Samba Web Administration Tool, were reported this past week. They can be used to bruteforce username and passwords and, if logging is enabled, a race condition can be exploited locally to gain root access. Last, a denial-of-service attack can also be implemented. No fixes for this have been posted as of yet. Disabling SWAT, or restricting access to the service, is recommended.

nss_ldap race condition. Red Hat has reported a race condition in nss_ldap, a set of C library extensions which enable the use of X.500 and LDAP directory servers. Updated packages are provided. This problem will affect any Linux system using the nss_ldap package. No update from PADL Software, the official maintainer of nss_ldap, has been seen yet.

pam_mysql trusted input vulnerability. Pam_mysql, a pluggable authentication module used to authenticate users against a mysql database, uses the user-provided username and password to construct SQL statements. This can be exploited both locally and remotely to gain access to plaintext passwords/hashes or, with pam_mysql > 0.4, to gain an unauthorized login. Check the original advisory for additional details.

An upgrade to pam_mysql 0.4.7 will fix the problem.

bftpd buffer overflow. An exploitable buffer overflow was reported in bftpd 1.0.11. bftpd 1.0.12 has been released with a fix for this problem.

Multiple buffer overflows in tcpdump. FreeBSD discovered multiple buffer overflows in tcpdump 3.5 during an internal audit. They have released a patch to fix the problems.

Format string vulnerability in FreeBSD chpass utilities. FreeBSD reported a format string vulnerability which impacts multiple commands, including chfn, chpass, chsh, ypchfn, ypchpass, ypchsh, and passwd. Local root access can be obtained. They have released patches for the problem. Note that other BSD variants are likely affected; we do not know whether or not this code is shared with Linux.

dump-0.4b15 local root access. An input-trust vulnerability in dump-0.4b15 allows dump's environment variables to be used to gain local root access, according to this report on BugTraq. No patch for this has been released as of yet.

Red Hat cyrus-sasl advisory. Red Hat has released a security advisory for the cyrus-sasl packages shipped with Red Hat 7. Due to a bug, users who had been successfully authenticated were allowed to access resources that should have been blocked from them. Versions of cyrus-sasl shipped with earlier Red Hat Power Tools packages do not have the reported problem.

host 8.21 exploitable buffer overflow. An exploitable buffer overflow was apparently found and fixed in the host command some months ago, without announcement. host 8.21 has been verified as exploitable. No information on what version of host contains the fix for this is yet available.

lpr group permissions elevation. An IRC chat session reported vulnerabilities in lpr-0.50-4 and earlier which can be exploited locally to gain elevated permissions. In combination with a wu-ftpd install, it can be used to gain root. Note that newer versions of lpr are widely available, but you may want to check the version you are using.

Commercial products. There appears to have been a minor conspiracy to release advisories regarding security flaws in commercial products this week. The following commercial products were reported to contain vulnerabilities

  • The HTTP service facility in the Cisco IOS can be crashed and forced to reload in reaction to a remote command. Cisco has acknowledged the problem and made fixes and workarounds available. Note that unofficial reports indicate the Catalyst 2820 units with ATM interfaces are also vulnerable, although the advisory indicates they are not. Cisco has confirmed and an updated advisory is promised.

  • The Cisco Catalyst 3500 XL series switches are reported to allow execution of any command via the web interface without logging in. No response from Cisco has been posted yet.

  • The Cisco Systems' Virtual Central Office 4000 (VCO/4K) is reported to be exploitable via SNMP, allowing an attacker to gain administrative access. No response from Cisco has been posted yet.

  • iPlanet Web Server 4.x is vulnerable to a denial-of-service attack. No vendor fix or workaround is available, though the vendor was apparently notified multiple times as early as January, 2000. Netscape Enterprise Server 3.6sp3, fortunately, does not appear to be impacted.

  • iPlanet CMS and Netscape Directory Server have been reported vulnerable to both local and remote exploits via two bugs. The first bug allows a classic directory transversal exploit, where unauthorized files outside the webserver root may be accessed. The second accesses the administrator password, not difficult, since it is stored in plain-text. Patches for iPlanet have been made available from the vendor.

  • The Oracle Enterprise Server listener program is vulnerable to a remote attack from which server access and the ability to execute command can be gained. Oracle has made patches available for this problem.

  • Trusted Systems' TIS Firewall Toolkit (FTWK) is reported to contain a format string vulnerability in their X Windows gateway which can be exploited, in some cases, to execute arbitrary code on the firewall. The vendor does not appear to have been notified in advance. Rick Murphy posted some comments on this vulnerability, including a promise of an unofficial patch for the problem.

  • The Ultraseek Search engine is reported to be vulnerable to a denial-of-service attack. The vendor has made patches available.

  • Unify's eWave ServletExec, a plug-in used with Apache and other webservers, is reportedly vulnerable to both a denial-of-service attack and unauthorized remote command execution. ServletExec version 3.0E has been made available to fix these problems.

  • Allaire's JRun 3.0 is vulnerable to a denial-of-service attack. Allaire has acknowledged the problem and has released a patch.

  • CGIScriptCenter's News Update 1.1 has been reported to contain a vulnerability whereby the news administration password can be changed without previous authentication.


Conectiva update to XFree86 vulnerabilities. Andreas Hasenack of Conectiva sent in this update regarding our report on XFree86 vulnerabilities last week:

Regarding your story on XFree86 vulnerabilities, we have released an update for one of the vulnerabilities (in Portuguese)[bugtraq #1235) for the CL 5.0 distro (others, where applicable, were also updated). That update was done at a time when we were not sending update notices to lwn.net nor bugtraq, but only to our own local lists (in pt_BR). The other XFree86 issues are being investigated and will be addressed soon.

Apache mod_rewrite vulnerabilty. Files outside of the document root can be accessed, if the mod_rewrite module for Apache is in use. For more details, check the October 5th LWN Security Summary.

This week's updates:

Previous updates:

Pine buffer overflow vulnerability. An exploitable buffer overflow in Pine was reported to BugTraq in early October. The problem involves Pine's handling of incoming mail during an open session. Check the October 5th LWN Security Summary for the initial report. Note that the FreeBSD update below is the first one we've seen for this problem.

Also announced this week was pine 4.30, which, judging by the Changes, fixes this problem.

This week's updates:

ncurses buffer overflow. Check the October 12th LWN Security Summary for the initial report of this problem. Updates for this vulnerability continue to trickle in more slowly than usual.

This week's updates:

Previous updates:

Boa webserver directory transveral vulnerability. Check the October 12th LWN Security Summary for more details. Boa fixes this problem.

This week's updates:

Previous updates:

NIS/ypbind format string vulnerability. A format string vulnerability in NIS/ypbind can be remotely exploited to run arbitrary code as root. An immediate upgrade is recommended. For more information, check the October 19th LWN Security Summary.

This week's updates:

Previous updates:

GnuPG false signature verification. GnuPG fails to correctly validate multiple signatures in a file. Check the October 19th Security Summary for details. GnuPG 1.0.4 has been released and contains the fix for this problem. Anyone using GnuPG will want to upgrade their package as soon as possible.

This week's updates:

Previous updates:

Buffer overflows in ping. Multiple buffer overflows in Alexey Kuznetsov's ping were discussed October 19th.

This week's updates:

Previous updates:

GNU CFEngine format string vulnerability. Root access can be obtained on a local system by exploiting CFEngine's use of syslog and its related format string vulnerability. Check the October 5th LWN Security Summary for more details.

This week's updates:

Previous updates:


Upcoming security events.
Date Event Location
October 29-November 2, 2000. SD 2000 (Software Development Conference) Washington D.C., USA
November 1-3, 2000. Compsec 2000 Westminster, London, U.K.
November 1-4, 2000. 7th ACM Conference on Computer and Communication Security Athens, Greece.
November 3-5, 2000. PhreakNIC v4.0 Nashville, TN, USA.
November 8, 2000. Security Forum 2000 Vancouver, British Columbia, Canada.
November 13-15, 2000. CSI 27th Annual Computer Security Conference and Exhibition Chicago, IL, USA.
November 19-21, 2000. Privacy by Design Le Chateau Montebello, Quebec, Canada.
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
December 3-7, 2000. Asiacrypt 2000 Kyoto, Japan.
December 3-8, 2000. LISA 2000 New Orleans, LA, USA.
December 10-13, 2000. INDOCRYPT 2000 Calcutta, India.
December 11-15, 2000. 16th Annual Computer Security Applications Conference New Orleans, LA, USA.
December 20-21, 2000. The Third International Workshop on Information Security University of Wollongong, NSW, Australia.
December 27-29, 2000. Chaos Communication Congress Berlin, Germany.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

November 2, 2000

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds