Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsPhil Zimmerman leaves NAI. For those of you who are unfamiliar with Phil Zimmerman, he is the original author of Pretty Good Privacy (PGP). He's also from Boulder, Colorado, the home of LWN.net, and someone that we have previously met and worked with (in a former, non-Linux life-time). PGP was originally a freely available, non-proprietary product, one to which Phil dedicated himself and for which he also dealt with a great deal of legal furor and hassle. The U.S. government chose Phil and his software as a test case for the enforcement of regulations that make exporting cryptography illegal -- though the "exportation" in question was simply the posting of the source code (by somebody other than Phil) to a set of bulletin board sites. For more information on that historical footnote, check out The Phil Zimmerman Case, the Zimmermann Legal Defense Fund Appeal or simply search on his name on Google. The case was eventually dropped. Since then, PGP itself has become a proprietary product. It has been owned by Network Associates, Inc., since 1997, when they purchased PGP, Inc., a company started by Phil. Phil continued to work for NAI after the acquisition. This week, however, he announced his departure, along with his plans to promote OpenPGP, an IETF open standard (RFC 2440). Along with that, he'll also be doing work for a number of NAI's competitors, including Hush Communications and Veridis. Phil's departure was apparently driven by NAI's decision to close part or all of the source code for PGP. "New senior management assumed control of PGP Security in the final months of 2000, and decided to reduce how much PGP source code they would publish". Phil understands well that without the availability of source code, the security of the product can't be determined and is therefore non-existent. In order to pursue his original goals, the wide dissemination and availability of products to secure an individual's privacy, he could no longer stay. He does state, however, that the current NAI PGP release (7.0.3) is free of backdoors. His departure marks a good opportunity to thank Phil for his original contribution, PGP, and to also be glad that we have a Free Software implementation, GnuPG, available, whose future will not be dictated by some corporate manager. Updates on the ssh trademark issue. Here's a couple things that have come our way in the ongoing ssh trademark dispute issue (covered in last week's LWN.net weekly edition):
Wi-Fi vs. Open Source. Here's an article by Jay R. Ashworth dealing with the cracking of the security scheme used with 802.11b wireless networking. Why, he asks, was the system cracked so easily? "Well, one assertion that could be made fairly is that it was because the design process was closed, rather than the open, peer-reviewed process which as (at least to me) been proven repeatedly as being much more likely to find the possible holes in both protocol and implementation which will make a security system insecure." February CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for February is out; it's worth a read. Topic include hard drive copy protection (CPRM: "a serious threat to civil liberties"), the InterBase back door, "e-mail filter idiocy," and a brief mention of the Ramen Worm. Here is the HTML version as well, for those that prefer it. Linux Kernel 2.4 Firewalling Matures: netfilter (LinuxSecurity). LinuxSecurity posted a detailed summary of the new netfilter facilities in the 2.4 kernel. "Netfilter provides a raw framework for manipulating packets as they traverse through various parts of the kernel. Part of this framework includes support for masquerading, standard packet filtering, and now more complete network address translation. It even includes improved support for load balancing requests for a particular service among a group of servers behind the firewall." The Key Vanishes: Scientist Outlines Unbreakable Code (New York Times). The New York Times published this registration-required article on research work done by Dr. Michael Rabin at Harvard investigating the development of "provably unbreakable" cryptography. It is based on the theoretical use of rapidly-generated random cryptography keys. "Bruce Schneier, who is founder and chief technical officer for Counterpane Internet Security in San Jose, said that, as a scientist, he liked the idea of a provably secure system. 'Research like this should be encouraged,' he said. 'But research is different from engineering.'" (Thanks to Robert George Mayer). Security Reportsvixie-cron long username buffer overflow. A local root compromise was reported in Paul Vixie's crontab version 3.0.1-56 on February 12th. A long discussion resulted. It seems that exploitation of the vulnerability was highly unlikely since it was only possible from an account with a name longer than 20 characters. Nonetheless, as the debate settled, the vulnerability was acknowledged and quickly fixed.This week's updates: pgp4pine expired key vulnerability. pgp4pine, a program that interfaces various implementations of PGP with the mail reader pine, fails to properly handle expired keys when working with GnuPG. When GnuPG refuses to use an expired key and returns an error, pgp4pine fails to note the error and causes the message to be sent on in plaintext without any warning to the user. A patch to fix the problem is included with the advisory.Martin Hamilton ROADS file disclosure vulnerability. ROADS is a Yahoo-like system written in Perl by Martin Hamilton. A file disclosure vulnerability was reported in ROADS 2.3. This has been fixed in ROADS 2.4 (and a patch for 2.3 has also been made available).Bajie Java-based Webserver remote command execution. The Bajie Java-based webserver can be exploited remotely to execute arbitrary commands by using the built-in upload feature to upload a malicious script to a well-known name and location. The script can then be executed. No workaround or fix has yet been mentioned. Check BugTraq ID 2388 for more details.web scripts. The following web scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesMultiple ssh/OpenSSH vulnerabilities. Multiple vulnerabilities in ssh/OpenSSH have been reported over the past few weeks, including a remotely-exploitable integer overflow (February 15th), a bruce force password vulnerability (February 8th) and a key session recovery vulnerability (February 8th). Currently, upgrades to SSH 2.4 and OpenSSH 2.3.0p1 should fix these problems. This week's updates:
Multiple glibc vulnerabilities. Multiple glibc vulnerabilities have been reported in recent weeks in glibc. Since glibc updates generally address all the problems, rather than one specific problem, the update report for them has been combined. For the original reports, check the January 18th, 2001, LWN Security Report under the topics "glibc RESOLV_HOST_CONF preload vulnerability" and "glibc local write/ld.so.cache preload vulnerability". This week's updates: Previous updates:
Kerberized telnetd. Check the December 28th, 2000 LWN Security Summary for the original report. Telnetd's allowance of arbitrary environment variables and a buffer overflow in the kerberos v4 library combined to allow a local root exploit.This week's updates: Previous updates:
ResourcesOpenSSH 2.5.1. OpenSSH 2.5.1 was released this week. New features include agent forwarding, support for -R forwarding, RSA host and userkeys and extended support for older SSH 2 protocol implementations. In addition, Damien Miller contributed an interactive sftp client and David Mazieres' ssh-keyscan has been added. Note that the transition to OpenSSH 2.5.1 is not 100% transparent. 2.5.1 supports three different key types, RSA1 (supported only for the SSH 1 protocol), RSA and DSA (used by the SSH 2 protocol implementation). Check the announcement for details on generating the newer keys. The portable OpenSSH version 2.5.1 has also been released. Analysis of the integer overflow vulnerability in SSH. The week of February 15th, a remotely-exploitable integer overflow in SSH was reported. This week, Paul Starzetz posted an analysis of this vulnerability, which he called, "neither a typical buffer overflow exploit (shell code) nor a format string exploit". TMPDIR/TMP scripts. The CVS repository for Bastille contains a group of TMPDIR/DIR scripts that will be included in the next version of Bastille, reports Peter Watkins. "The scripts allow you to put TMPDIR somewhere other than $HOME (say, local /tmp if $HOME is on NFS), to keep track of TMPDIRs on a host-by-host basis, to hide the number of files and last access time of $TMPDIR, etc". Paper: Examining Remote OS Detection using LPD Querying. f0bic has published a paper entitled "Examining Remote OS Detection using LPD Querying" which examines the behavior of the line printer daemon under various operating systems as another source of information to determine the type of operating system. A proof-of-concept tool has also been developed and made available. EventsCall-for-Papers: LISA 2001 Security Track. A Call-for-Papers has gone out for the Security Track at the upcoming Large Installations Systems Administration (LISA 2001) conference, scheduled December 2nd through the 7th, 2001, in San Diego, California, USA. LISA is a Usenix-sponsored event. Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
February 22, 2001
LWN Resources | |||||||||||||||||||||||||||||||||