[LWN Logo]

 Main page
 Linux in the news
 Linux History
All in one big page

See also: last week's Security page.


News and Editorials

Multicast impacts from the Ramen Worm. Last week, in our coverage of the Ramen Worm, we mentioned the network impacts of the Ramen Worm, but like many other news reports, we glossed over them quickly. That did not do justice to the most-likely unintended consequences of the Worm; its impact on multicast networks.

The Ramen worm was designed to use a binary called "randb" to generate a list of class B networks to scan. That causes the impact of the worm to be somewhat randomly scattered. However, the first byte of the IP addresses generated ranged from 13 to 242 -- a range that includes multicast addresses. On other words, the Ramen worm is also scanning multicast networks, and the results are far from pleasant.

What is multicast? Where most Internet traffic is much like a telephone call, directly from one IP address to another, multicast traffic is more like radio or television. All sites that have "tuned in" to the multicast broadcast will receive it - and can broadcast to all other participants as well. The multicast network is designed such that data need cross any network segment only once, even if it is being broadcast to many recipients on the other side. Example uses of multicast include the broadcasting of real-time audio and video from conferences or tuning in on the space shuttle. Check the Multicast over TCP/IP HOWTO for more details.

The IP address range for multicast is through This range is thus included in the address space attacked by the Ramen worm. Each scan packet sent by the multicast scan generates a Multicast Source Distribution Protocol (MSDP) Source Availability (SA) message. Bill Owens reported:

Unfortunately the scanner being used is very efficient and can cover a /16 in about 15 minutes, generating 65000 SA messages. The SA messages are flooded throughout the multicast backbone and the resulting load on the routers has caused degradation of both multicast and unicast connectivity

For the past nine days, this has resulted in repeated storms of network traffic on multicast networks. The graph reporting statistics over the past month is particularly telling -- the level is flat for the first two weeks, then shows tremendous peaks of traffic, each reprenting a multicast storm.

All of this tells us that multicast has been proven vulnerable to a denial-of-service attack. That problem is being heavily discussed on the Internet2 multicast and MBONE mailing lists.

As a result, though, the damage from the Ramen worm is much higher than we originally reported.

As a side note, Crispin Cowan from Immunix reported that FormatGuard, used by Immunix to prevent format string vulnerabilities, successfully blocked all three of the vulnerabilities exploited by the Ramen worm.

French hackers break SDMI, publish results. Two French hackers, Julien Stern and Julien Boeuf, have broken the Secure Digital Music Initiative's watermarking scheme. However, being French, they (1) have declined to sign SDMI's nondisclosure agreement, and (2) are not subject to the Digital Millennium Copyright Act. So they have published their findings, both in French and in English. (Found on Da Linux French Page).

Linux Gets Stateful Firewalling (SecurityPortal). SecurityPortal covers Netfilter, the packet filtering system provided by the new 2.4 kernel release, in this article by Jay Beale. "The 2.4 kernel's packet filtering system, Netfilter, is Linux's first stateful firewall. Stateful firewalls represent a major technological jump in the intelligence of a firewall and are present in all serious Enterprise firewalling products. Among many enhancements, this "statefulness" allows Netfilter to block/detect many stealth scans that were previously undetected on Linux firewalls."

Security Reports

MySQL buffer overflow. Nicolas Gregoir reported a buffer overflow in the MySQL server that can be exploited remotely to gain access to the system under the uid of the mysql server. MySQL 3.23.31 and earlier are affected. MySQL 3.23.32 fixes the problem. Check BugTraq ID 2262 for more details.

sash readable file vulnerability. Debian released an advisory this work for sash, reporting that versions of sash prior to sash 3.4-4 did not properly clone /etc/shadow, leaving a fully readable file as a result. They have provided updated packages for stable.

micq remotely exploitable buffer overflow. Micq is a public domain ICQ clone. Micq 0.4.6 is reported to contain a remotely exploitable buffer overflow that can be used to execute arbitrary code. micq 0.4.6p1 contains a backport of the fix provided by Debian. Check BugTraq ID 2254 for more details.

This week's updates:

webmin tmpfile vulnerability. Webmin, a perl-and-web-based systems administration interface, is reported to insecurely create temporary files in several instances. webmin 0.84 contains a fix for this problem.

This week's updates:

kdesu password sniffing. Caldera issued an advisory for kdesu, a KDE2 program that is used to run systems administration commands under the root account. They report that a bug in kdesu will allow any user on the system to steal passwords entered at the kdesu prompt. Sebastian Krahmer (SuSE) and Waldo Bastian (KDE) are also acknowledged for their part in helping to track down this problem. Presumably, any other system shipping KDE2 may also be affected.

FreeBSD-specific ipfw/ip6fw vulnerability. FreeBSD issued an advisory reporting a problem with ipfw/ip6fw that is specific to FreeBSD. The ECE flag is incorrectly treated, potentially incorrectly allowing some traffic through the IP filters. Updates for the problem are provided.

crontab file access vulnerability. FreeBSD put out an advisory and updates for a problem with crontab(8) which can allow any file on the system that matches a crontab file in format to be read. This also includes any file where every line either begins with a "#" or contains only whitespace.

This problem is not FreeBSD-specific. No related reports have been seen.

icecast format string vulnerability. A format string vulnerability was reported this week in icecast 1.3.8beta2 and prior. This can be exploited remotely to execute arbitrary code. Exploits for Slackware and Red Hat have been published. icecast is an MP3 server. So far, an updated version of icecast has not been published.

This week's updates:

bing local root exploit. Paul Starzetz reported a buffer overflow in bing that can be exploited locally to gain root access. bing is a tool designed to help calculate the network bandwidth between two points. bing 1.04 and earlier are vulnerable; bing 1.0.5 has been released to fix the problem.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • Watchguard Firebox II has been reported to contain a password retrieval vulnerability. Upgrades have been made available.

  • Netscape Enterprise Server has been reported to be vulnerable to a denial-of-service attack. No vendor response has been seen so far.

  • Netscape Enterprise Server has also been reported to contain an input validation vulnerability that can be exploited to disclose a directory listing of the target server. Disabling web publishing will temporarily close the hole. No vendor response has been seen so far.

  • Netscape FastTrak Server is reported to be vulnerable to a denial-of-service attack via its cache module. No vendor response has been seen so far.


PHP Apache Module per-directory and virtual hosts vulnerabilities. Check the January 18th LWN Security Summary for the original report of the problems. An upgrade to PHP 4.0.4pl1 will resolve the issues.

This week's updates:

ssh1 secure RPC vulnerability. Last week, we mentioned a vulnerability in ssh 1.2.30 secure rpc encryption. This week, Dan Harkless pointed out that the vulnerability applied not just to ssh 1.2.30, but to ssh 1.2.30 and all earlier versions of 1.2.X.

glibc RESOLV_HOST_CONF preload vulnerability. Check the January 18th LWN Security Summary for the initial report of this problem, which can be exploited to gain local root access. This week's updates:

Previous updates:
  • Red Hat (January 18th)
  • Slackware (January 18th)
  • Debian, 2.2 not vulnerable, testing and devel trees are (January 18th)

glibc local write/ld.so.cache preload vulnerability. Red Hat issued another update to glibc this week to fix a preload-related vulnerability. In this vulnerability, the glibc preload check was not applied to libraries that had already been loaded into /etc/ld.so.cache. This can be exploited to create/overwrite files without authorization.

This week's updates:

Previous updates:

Multiple vulnerabilities in splitvt. Multiple vulnerabilities were reported in splitvt in the January 18th LWN Security Summary, including several buffer overflows and a format string vulnerability. An upgrade to splitvt 1.6.5 should resolve the problems.

This week's updates:

jaZip buffer overflow. A buffer overflow was reported last week in jaZip, a program for managing Iomega Jazz or Zip drives.

This week's updates:

wu-ftpd insecure tmpfile creation. Check the January 11th LWN Security Summary for the original report of twelve packages with tmp race problems, of which wu-ftpd was one.

This week's updates:

  • Debian
  • Debian, Intel ia32 packages recompiled due to missing PAM support
  • Debian, another problem with the Intel ia32 packages fixed
Previous updates:

tinyproxy heap overflow attack. Check the January 18th LWN Security Summary for the initial report. This can be exploited to cause a denial-of-service. tinyproxy 1.3.3a has been released to fix this problem.

This week's updates:

BIND 8.2.2-P5 denial-of-service. A denial-of-service vulnerability was reported in BIND 8.2.2-P5. Check the November 9th, 2000, LWN Security Summary for the initial report. BIND 8.2.2-P7 contains a fix for the problem.

This week's updates:

Previous updates:

XFree86 security problems. Check the October 26th, 2000 LWN Security Summary for the original report on multiple security problems in XFree86 3.3.5, 3.3.6 and 4.0.

It is well worth noting that updates from other Linux vendors for these problems still haven't been seen. Even the Conectiva announcement only covered one of the reported vulnerabilities.

This week's updates:

Previous updates:


Upcoming security events.
Date Event Location
February 7-8, 2001. Network and Distributed System Security Symposium San Diego, CA, USA.
February 13-15, 2001. PKC 2001 Cheju Island, Korea.
February 19-22, 2001. Financial Cryptography 2001 Grand Cayman, BWI.
February 19-22, 2001. VPN Con San Jose, CA, USA.
February 24-March 1, 2001. InfoSec World 2001 Orlando, FL, USA.
March 3-6, 2001. EICAR and Anti-Malware Conference Munich, Germany.
March 27-28, 2001. eSecurity Boston, MA, USA.
March 30-April 1, 2001. @LANta.CON Doraville, GA, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

January 25, 2001

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds