[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and Editorials

Carnivore Reviewed and Re-Reviewed. On November 17th, a draft version of a review of Carnivore, the FBI tool for monitoring Internet traffic, was made available to the public. This review was performed by members of the ITT Research Institute in Lanham, Maryland and is 127 pages long. In the Executive Summary, the review makes several recommendations for ways in which Carnivore must be improved, in order to protect individual privacy and assuage concerns about the potential for unauthorized use. Their recommendations include:

  • Continue to use Carnivore rather than other possible techniques because it can be configured to reflect the limitations of a court order.
  • Provide separate versions of Carnivore for gathering email To/From information versus full content collection (currently, moving from limited to full collection can be done with a simple radio button selection).
  • Add full audit trails and logs in order to provide full accountability for all Carnivore actions.
  • Enhance the physical control of Carnivore, where deployed, to prevent tampering.
  • "Explicitly bind collected data to the collection configuration by recording the filter settings with each collected file and add a cyclic redundancy check (CRC) to the recorded file".
  • Employ a formal development process (current development appears to be fairly ad-hoc).
  • "Provide checks in the user interface software to ensure that settings are reasonable and consistent".
  • "Work towards public release of Carnivore source code by eliminating exploitable weaknesses. Until public release, continue independent evaluation to assess effectiveness and risks of over and under-collection".
In other words, they found a flawed product, which can currently be easily manipulated to gather information beyond that authorized in a court order. They believe the flaws are fixable and have made recommendations as to what needs to be done, including eventually releasing the source, but not until some glaring security problems have been fixed first.

They did, however, state that they were confident that Carnivore could not be used to disrupt network traffic, either by adding packets to the network, blocking traffic, removing information, seizing control of traffic or shutting down the communications of a person, website, company or ISP.

Another group of researchers, this time from several organizations, including AT&T Laboratories, the University of Pennsylvania and Purdue University CERIAS are less sanguine. "Although the IITRI study appears to represent a good-faith effort at independent review, the limited nature of the analysis described in the draft report simply cannot support a conclusion that Carnivore is correct, safe, or always consistent with legal limitations. Those who are concerned that the system produces correct evidence, represents no threat to the networks on which it is installed, or complies with the scope of court orders should not take much comfort from the analysis described in the report or its conclusions".

The security of the Carnivore code itself is one issue; the draft report does not include any actual auditing of the code itself for even basic security problems such as buffer overflows. The lack of accountability from non-modifiable audit trails or logs was mentioned in the draft report, but not, they feel, given enough emphasis. Most of all, they feel strongly that the current implementation could allow just about any file on the Carnivore server to be replaced, including audit logs and the software itself. This would certainly make the potential uses of Carnivore infinite; once installed, simply upload new capabilities, use them, delete them and move on.

Their concerns indicate that Carnivore, in its current form, is potentially subvertable both by law enforcement agents to use it beyond the scope of a court order and, potentially, by malicious attackers not associated with law enforcement. As a result, they push even more strongly for the release of the Carnivore code, so that its deficiencies can be addressed with the widest possible scrutiny.

Of course, given an atmosphere of distrust, which all of this publicity and review process validates, Carnivore will never be trustable. Even if the code is made available, even if all the recommendations of both the official review and this unofficial commentary are implemented, who will guarantee that the code installed on a particular Carnivore has not been modified? If you don't trust the watchers, who can you trust to watch them?

Perhaps the eventual consequences of Carnivore are best summed up by this suck.com article. "By demonizing the FBI (or by just sitting back and letting the FBI demonize itself), privacy advocates could go a long way towards stoking the public's interest in - and demand for - electronic privacy, including software to avoid the Bureau's prying eye". They perceive the existence of Carnivore as the necessary incentive to put easy-to-use cryptographic functionality in email and other Internet applications at the top of everyone's wish-list.

Interview with Kurt Seifried of SecurityPortal.com (LinuxSecurity Brazil). Kurt Seifried, author of the Linux Administrator's Security Guide, was interviewed by LinuxSecurity Brazil this week. "Security is a process, ongoing and never ends. If you choose shoddy software that is prone to problems then administering it will be that much more difficult. You need a solid foundation to build on, this is the OS and related software. Once you have this you need to keep it up to date, modify configuration info as needed and so forth. You are only as strong as the weakest link in your entire security chain."

A Portuguese language version of the interview is also available.

Security Reports

ptrace non-readable file vulnerability. ptrace, a system call which is used to analyze running processes, does not allow setuid or non-readable executables to be examined. Lamagra Argamal, however, pointed out that ptrace does not properly check the disk image for readability when tracing a child process. This could allow information that was assumed to be protected to be retrieved from the memory of a running process. Linux 2.2.17 through 2.2.10 is known to be vulnerable; earlier versions may also be impacted.

For more information, check BugTraq ID 2044.

Postaci Webmail password vulnerability. Postaci Webmail is a GPL'd software package that provides a database and platform independent web interface to mail. Michael R. Rudel pointed out that hostname, username and password variables for the MySQL database can be easily retrieved, under the default configuration. Configuration-based workarounds are available, described in both Michael's post and this followup from Stanislav Grozev.

There is no indication that the author of the package has been officially notified and no response or followup to this problem was found on the website.

For more information, check BugTraq ID 2029.

pam_localuser buffer overflow. A buffer overflow was reported in the pam_localuser module. This module is included with the Red Hat Linux distribution, though it is not used by default.

This week's updates:

ezmlm-cgi potential arbitrary command execution. ezmlm-idx is a mailing list manager designed to work under qmail. ezmlm-cgi is shipped with ezmlm-idx to allow for archiving and viewing lists via the web. Instructions for installing ezmlm-cgi recommend that it be installed setuid root. This week, vort-fu reported potential problems with ezmlm-cgi, if installed setuid to a user other than root. These are derived from the fact that the software will read its configuration file from the local directory if not installed setuid root. As a result, it can be manipulated to execute arbitrary code under the uid of the ezmlm-cgi owner.

Note that Frederik Lindberg, author of ezmlm-idx, posted this response contesting portions of the original report.

For more information, check BugTraq ID 2053.

cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:

  • phpweblog, Joćo Gouveia reported a vulnerability under which the administrator authentication can be bypassed. He also provided a patch to correct the problem. This patch has gone into the the development tree and will be incorporated in the next development snapshot (this is a beta product). Check the phpweblog home page for more details.
  • MoinMoin, a Python WikiClone (WikiWiki is a collaborative hypertext environment), has been upgraded to version 0.7 which uses __import__ instead of exec(), in order to improve its basic security. Anyone using MoinMoin 0.5 or 0.6 is strongly recommended to upgrade.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

bash tmpfile vulnerability. Check last week's LWN Security Summary for the original report. This is similar to the tmpfile problems reported in /bin/sh and /bin/tcsh.

This week's updates:

Previous updates:

ghostscript vulnerabilities. Two vulnerabilities were reported in ghostscript last week. Both could potentially lead to elevated privileges.

This week's updates:

Previous updates:

joe symlink vulnerability. Check the November 23rd LWN Security Summary for the original report.

This week's updates:

    Debian, the original update didn't work
Previous updates:

Two CUPS problems. Two problems were reported with CUPS, the Common Unix Printing System in our November 23rd LWN Security Summary.

This week's updates:

Previous updates:

Local root exploit problem in modutils. Check the November 16th Security Summary and Kernel Page for the original report and details. Note, however, that the updates listed below include either modutils 2.3.19 or modutils 2.3.20. As mentioned above, modutils 2.3.21 has been released with still more fixes.

This week's updates:

Previous updates:

Hostile server vulnerability in OpenSSH. Check the November 16th LWN Security Summary for details. Upgrading to 2.3.0 is recommended.

This week's updates:

Previous updates:

Netscape 4.75 buffer overflow. First spotted via this FreeBSD advisory and reported on November 9th, a buffer overflow in Netscape 4.75 enables a client-side exploit. Check the November 9th LWN Security Summary for our original report. Netscape 4.76, which was released on October 24th, fixes the problem.

This week's updates:

Previous updates:

tcsh symlink vulnerability. A /tmp symbolic link vulnerability was reported in tcsh on October 29th. Check BugTraq ID 1926 for more details.

This week's updates:

Previous updates:

ncurses buffer overflow. Check the October 12th LWN Security Summary for the initial report of this problem.

This week's updates:

Previous updates:

diskcheck 3.1.1 symlink vulnerability. Check the August 10th LWN Security Summary for the original report of this problem.

This week's updates:

Previous updates:

Resources

Argante project announcement. The Argante project was announced this week, with Michal Zalewski as project leader. Argante is a virtual operating system. It is designed to run on top of Linux, BSD and other Unix operating systems, but to provide an environment where security has not been compromised in order to provide functionality. "Argante is supposed to be a system with no compromises. That is why always when in the traditional system we would face choice "security or functionality", instead of choosing one variant we concluded the choice itself is bad and created its outline from scratch or changed the model in order to reconcile our requirements with expectations."

Check the Argante project website for more details.

Events

Upcoming security events.
Date Event Location
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
December 3-7, 2000. Asiacrypt 2000 Kyoto, Japan.
December 3-8, 2000. LISA 2000 New Orleans, LA, USA.
December 10-13, 2000. INDOCRYPT 2000 Calcutta, India.
December 11-15, 2000. 16th Annual Computer Security Applications Conference New Orleans, LA, USA.
December 20-21, 2000. The Third International Workshop on Information Security University of Wollongong, NSW, Australia.
December 27-29, 2000. Chaos Communication Congress Berlin, Germany.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


December 7, 2000

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds