[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and Editorials

Free Intrusion Detection Software. Snort developer Martin Roesch sent us a note on the snort 1.7 release, bringing it to our attention because, with the new release, he felt snort now had a feature set competitive with commercial Intrusion Detection Systems (IDS). His note inspired us to go out to take a look at snort, its commercial IDS competitors, and other free software IDS systems.

The commercial IDS systems we examined included products from Symantec, Cisco and ISS, just to get an overview of the common features included in these systems. Then we went back to snort, checking out its features, both old and new. With the addition of dynamic rules, a Statistical Anomaly Detection preprocessor, Oracle database support support (MySQL and PostgreSQL have been supported for some time) and more, we had to agree that snort is now comparable to its commercial competitors.

What about free software competitors? We took a long walk through various software databases (Freshmeat, Appwatch, etc.) looking for free software intrusion detection systems other than snort. We found that the term "intrusion detection system" has many meanings.

One common interpretation was monitoring data integrity: the detection of modifications to files on a system, which was pioneered by Tripwire. There are a lot of projects in that arena, samhain, AIDE, claymore and Toby IDS, to name a few.

Then there was a scattering of others, such as LIDS, the Linux Intrusion Detection System. LIDS is actually a patch to the Linux kernel which brings Mandatory Access Control to Linux, allowing fine-grained control of file permissions (e.g., even root can't modify or delete files without the proper permissions), process permissions and more. LIDS 1.0.4 was announced this week, providing support for the just-released Linux 2.4.0 kernel.

Various other projects termed "intrusion detection systems" provide monitoring of login behaviors, syslog replacements and other functionalities.

So what definition of intrusion detection fits snort? From our reading of the webpage (and that of the similar commercial products we mentioned), snort is intended to detect network-based security attacks. Given this definition, it does not have many free software competitors.

Worthy of note, however, is FreeVeracity. FreeVeracity claims to provide both data integrity (like Tripwire) and network intrusion detection. It is actually a version of the commercial product Veracity, from Rocksoft, released under the Free World License, a controversial topic in and of itself. Its intent is to provide a method whereby commercial companies can provide source code for their software freely to Linux and BSD users, yet restrict its use (and their licensing revenue) on commercial operating systems. Since it restricts the systems on which the covered software can be used, the FWL is not a free software license.

So, take a look at your personal ideology. For the purists, snort is available and now more full-featured than ever. If you agree with the intent of the FreeWorld license (to promote free operating systems over commercial ones) and can live with its use of a Point-and-Click contract, you may also want to check out FreeVeracity. If neither yet meets your needs, then you'll need to continue using a commercial product, at least for now.

Security Reports

ReiserFS long-file-name vulnerability. Extremely long directory names under ReiserFS have been reported to cause the Linux kernel to crash. This bug is also potentially exploitable to gain local root access, though that has not yet been confirmed. In fact, the vulnerability itself has proven very difficult to reproduce. Nonetheless, both ReiserFS and VFS are getting an audit for this and possibly other buffer overrun problems. Patches to temporarily disable long directory names (just in case) have been made available. Check our coverage of this problem in this week's kernel page for more details and expect an update on the problem next week.

Immunix reports tmp file race problems in twelve packages. Immunix sent out an advisory covering potential temporary file race conditions in twelve different packages that they uncovered as a result of a new warning message from glibc whenever mktemp(), tempname(), etc., is used. Affected packages include:
apache 1.3.14 and also 2.0a9, the htpasswd and htdigest helper programs
tcpdump arpwatch version 2.1a4
squid 2.3 STABLE and 2.4
linuxconf 1.19r through 1.23r, the vpop3d program
mgetty 1.1.22 and 1.1.23
gpm 1.19.3
wu-ftpd 2.6.1, the privatepw program
inn 2.2.3
diffutils 2.7, the sdiff program
getty_ps 2.0.7j
rdist 6.1.5
shadow-utils 19990827 and 20000902, the useradd program
Since Immunix is based on Red Hat 7.0, all the same problems should be present in that version of Red Hat. Other distributions may be impacted as well.

This week's updates:

IBM HTTP Server denial-of-service vulnerability. A denial-of-service vulnerability has been reported in the IBM HTTP server, which is based on Apache. In turn, IBM's WebSphere product is based on the IBM HTTP server and is reported to also be vulnerable. The problem lies in the Apfa cache used in the IBM HTTP server. Disabling the Apfa cache is one work-around to the problem. Since Apache does not use the Apfa cache, it should not be affected. Check BugTraq ID 2175 for more details.

cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:

  • Ibrow newsdesk.cgi is reported to contain a file disclosure vulnerability. No vendor update is currently available.

  • Multiple Fastgraf cgi scripts, including whois.cg, ping.cgi, traceroute.cgi and finger.cgi, contain poor meta-character checking, allowing them to be exploited to remotely execute commands under the uid of the webserver. A workaround is provided and the author has been notified.

  • eXtropia bbs_forum.cgi, a perl-based script, is reported to contain a vulnerability which can allow remote execute of arbitrary commands, due to insufficient input validation. A patch to correct the problem is provided. Check BugTraq ID 2177 for more details.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • Macromedia's Flash Player, reported last week to contain a buffer overflow. This week, Macromedia responded, acknowledging the problem but explaining why the security impact was "not significant". Unfortunately, significant or not, they did not provide a patch or an update for the problem.

  • StorageSoft ImageCast IC3 is reported to contain a denial-of-service vulnerability. A fix is promised in an upcoming release; no date is provided.

  • NetScreen Firewall network appliance contains a denial-of-service vulnerability. Updated versions of the software have been released by the vendor to resolve the problem. Check BugTraq ID 2176 for more details.


Secure Locate buffer overflow. Check the November 30th, 2000 LWN Security Summary for the original report of this problem.

This week's updates:

Previous updates:

xchat URL handler bug. Originally reported in the August 24th, 2000 LWN Security Summary. Versions of xchat from 1.3.9 through and including 1.4.2 can allow commands to be passed from IRC to a shell. Check BugTraq ID 1601 for more details.

This week's updates:

Older updates:

perl/mailx. Check the August 10th, 2000 LWN Security Summary for details.

This week's updates:

Previous updates:

Red Hat umb-scheme permissions problem. Red Hat reported a file permissions problem with umb-scheme, believed to be Red Hat specific, in the August 10th, 2000 LWN Security Summary.

This week's updates:

Previous updates:
  • Red Hat (August 10th, 2000)
  • Conectiva, not vulnerable (August 10th, 2000)
  • Linux-Mandrake, not vulnerable (August 10th, 2000)

man/makewhatis vulnerability. A /tmp file vulnerability was reported in makewhatis versions 1.5e and higher. Check the July 6th LWN Security Summary for the original report.

This week's updates:

Previous updates:

GNU emacs inadequate PTY permissions vulnerability. Check the June 22nd, 2000 LWN Security Summary for the initial report of this problem, affecting GNU emacs 20.6 and earlier. GNU emacs 20.7 contains a fix for the problem. xemacs was not affected.

This week's updates:

Previous updates:

wu-ftp vulnerability. Check the June 15th, 2000 LWN Security Summary for the original report of this problem. An upgrade to wu-ftpd 2.6.1 should fix the problem.

This week's updates:

Previous updates:

openldap tmplink vulnerability. A tmplink vulnerability was reported in openlap the week of the April 27th, 2000. Check Red Hat Bugzilla ID 10714 for more details.

This week's updates:

Previous updates:

piranha. Issues with the piranha packages were covered in the main editorial of the April 27th LWN Security Summary.

This week's updates:

Previous updates:

ircii buffer overflow. On March 10th, a remotely exploitable buffer overflow was reported in ircii, an irc client, with all versions prior to 4.4M. Check the April 6th LWN Security Summary for our first report of this problem or BugTraq ID 1046 for more details.

This week's updates:

Previous updates:

gpm improper permissions handling. Improper permissions handling in gpm, the virtual console cut and paste utility and mouse server, was discussed in the March 30th LWN Security Summary.

This week's updates:

Previous updates:


Analysis of Auditable Port Scanning Techniques. Guido Bakker posted his whitepaper examining port scan methods, in particular, analysis of auditable techniques.


Summercon 2001. The announcement for this year's Summercon 2001 event has been released. Summercon 2001 will be held June 1-3, 2001, in Amsterdam, the Netherlands. This is the first year that Summercon will be held outside of the United States. In addition, a small fee for entrance will be charged and the press will be allowed to attend. Summercon is one of the oldest living security/hacker conferences, with origins tied to early years of Phrack Magazine.

Upcoming security events.
Date Event Location
February 7-8, 2001. Network and Distributed System Security Symposium San Diego, CA, USA.
February 13-15, 2001. PKC 2001 Cheju Island, Korea.
February 19-22, 2001. Financial Cryptography 2001 Grand Cayman, BWI.
February 24-March 1, 2001. InfoSec World 2001 Orlando, FL, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

January 11, 2001

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds