Sections:
Main page
Security
Kernel
Distributions
On the Desktop
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

Vulnerability Reporting: Bugs in the bug reporting process (CORE-SDI). Volume 3, Issue 3 of Insight a newsletter from The Internet Security Conference, contains a column by Ivan Arce, Founder and Chairman of the Board of CORE-SDI, which discusses the problems in the current ad-hoc process for reporting security vulnerabilities. The column uses a detailed list of the steps possibly involved in a given security report, then outlines many of the ways in which that process can break down. Near the end, he recommends a simplified set of guidelines:

The guidelines: A feeble attempt at improving the process
(1) Vulnerability reporting costs money: Keep it simple and everybody wins.
All the involved parties (discoverer, proxy, vendor, trusted third party, user) must invest a certain amount of effort to fix bugs. All parties have finite resources and therefore it costs them money. Streamlining the process and addressing the problems in a responsible and timely fashion reduces the efforts for all parties.
(2) Communication is key.
The best way to streamline the process and ensure cooperation is to maintain every party informed of what is going on. When that fails, unilateral actions take place that could put all at risk.
(3) Minimize harm.
Conduct all activities bearing in mind that the end goal is to improve the overall security and minimize the harm to all parties. Although this sounds obvious, the ultimate goal can be obscured during the process, evaluate your actions accordingly.
Extend the benefit of doubt, do not impute motives.

From here, though, he goes on to end with a recommendation to "formalize and implement a vulnerability reporting process". That opens many cans of worms, in terms of who is involved in "formalizing" such a process and, once formalized, what are the penalties for non-conformance? The "who" is mentioned at the beginning of the article, which was inspired by discussions at SafeNet2000, an invitation-only gathering sponsored by Microsoft that was held last December. Apparently as a result of that gathering, work to formalize the process is already underway. Neither the sponsor nor the invitation-only nature of that gathering recommend it to us.

The article does a good job of showing why the ideal process of reporting vulnerabilities will always be impacted by reality (insufficient resources, poor vendor response, multiple discoverers, active exploits, etc.), in short, why a formalized process will always tend to break down. Add to that the danger of allowing a closed (invitation-only) group to define, implement and potentially enforce a formal process and it seems like we might end up exchanging one set of problems for a less-appealing set.

Starting and ending with the simple guidelines suggested seems like a better idea.

WEP: No weapon against hackers (ZDNet). You might assume that this latest ZDNet article on WEP was also talking about the cryptographic issues with WEP, which have been mentioned in the last couple of weeks. You'd be wrong. Instead, it looks at the issue of keeping trespassers off of your wireless LAN. "Controlling access to wireless networks is an increasingly difficult challenge for network administrators. Unlimited access means that anyone with a wireless network card could gain access to the network. On the other hand, highly restricted access negates the benefits of going wireless and annoys the users."

More SSH articles. For those still with stamina to handle more editorial coverage of the SSH trademark issue, C|Net's Robert Lemos has written an article entitled, "Ssh! Don't use that trademark". "'Regardless of its origins, the word has become the generic description for this type of software,' said Michael Bednarek, an intellectual property attorney at Washington, D.C.-based law firm Shaw Pittman. 'As far as I can tell, there is no other name for it.'"

Security Reports

Security hole in Java may expose servers (News.com). Sun has issued a warning that a bug in Java Runtime Environments for multiple platforms, including Linux, may allow an attacker to run harmful programs on a server, though client systems running browsers should be unaffected.

Linux-Mandrake security advisory for CUPS. Linux-Mandrake has issued a security advisory for the CUPS printing packages. An internal audit found buffer overflow and temporary file creation problems. It is highly recommended that all Linux-Mandrake users upgrade to this new version of CUPS.

sudo buffer overflow. A buffer overflow in Sudo, apparently discovered by Chris Wilson, has been fixed in the just-released sudo 1.6.3p6.

Slackware
Trustix

Conectiva
Linux-Mandrake

Debian
Immunix

Zope security update. Digital Creations has released a security update to Zope (all versions up to 2.3b1) fixing a security vulnerability in how ZClasses are handled. An upgrade is recommended.

elm alternate folder buffer overflow. A buffer overflow in elm 2.5 PL3 was demonstrated this week. It can be exploited by passing a long string in via the "-f" option. No patch or updated version has yet been reported. Check BugTraq ID 2403 for more details.

PHP-Nuke magic quotes vulnerability. A new vulnerability in PHP-Nuke was reported this week which can allow any user to execute commands with the privileges of the PHP-Nuke administrator. This occurs because magic_quotes_gpc is expected to be enabled; if it is disabled, then information continues to be read even after a NULL character is seen. An upgrade to PHP-Nuke 4.4.1 will fix the problem. Note, however, that any PHP script that expects Magic Quotes to be enabled could have this same problem. Here is a recommended tip to prevent such problems.

joe file handling vulnerability. The configuration file for the joe editor, .joerc, is read first from the current directory, if available, making it possible to trick users into executing commands if they edit/open a file in a directory with a malicious .joerc file installed. No workaround/vendor solution has been posted yet, though theoretically a patch should be fairly easy to implement, by removing the check for the configuration file in the local directory and restricting the file to the user's home directory or the appropriate system directory.

An informal report indicates that FreeBSD and NetBSD are vulnerable to this, but that OpenBSD is not. No Linux-specific reports have been posted.

Slackware IMAP exploit. A short note in the slackware-current changelog commented that all previous versions of imapd (which is installed by default for Slackware distributions) had a remote exploit problem. This was slightly puzzling to us, since we hadn't heard of a new imapd vulnerability and Slackware issued an update for imapd in November that fixed the most recent vulnerability that we knew of.

Wednesday, though, an update to the Slackware Changelog cleared up the confusion:

Tue Feb 27 15:31:05 PST 2001
n1/imapd.tgz: No, the package wasn't changed. But, there's an update regarding the supposed imapd overflow. It was reported to us that an exploit existed for the version of imapd previously used by Slackware, but after obtaining a copy of the exploit from this site: http://packetstorm.securify.com/0102-exploits/imapd_exploit.c ...we found it to be completely ineffective. Still, it never hurts to keep daemons that provide network services as up-to-date as possible, so if you're running imapd you should consider upgrading.

web scripts. The following cgi-bin scripts were reported to contain vulnerabilities:

Mailnews.cgi is reported to contain a user-supplied input vulnerability, which can be exploited to remotely execute arbitrary shell commands. No patch or vendor response has been reported so far.
Adlibrary.pm, a perl-based package from Adcycle.com, is reported to contain a vulnerability that can be exploited remotely to execute arbitrary commands. This is due to insufficient screening of user input. No patch or vendor response has been reported so far.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Marconi ASX-1000, a commercial ATM switch, is reported to contain a vulnerability that can be used to disable remote administration of the device (until it is power-cycled). No patch or vendor response has been reported so far.
Cisco IOS Software contains an SNMP Read-Write ILMI Community String vulnerability, which might make the device using the software vulnerable to a denial-of-service attack. Cisco is offering free updates to fix the problem.
A second Cisco IOS Software vulnerability report details multiple vulnerabilities related to the unexpected creation and exposure of SNMP community strings. They can be exploited to permit unauthorized viewing or modification of devices. Specific workarounds are provided, along with a table of related updates.
Chili!Soft responded to several recently discussed vulnerabilities in Chili!Soft ASP. In some cases, workarounds are offered; in others, it is promised that they will be addressed in the next release.
Shortly after the above Chili!Soft note was posted, Jim Sander responded with yet an additional vulnerability, in which the Chili!Soft ASP license file, installed by default as a world-readable and writable file, can be removed by any user, causing the Chili!soft services to stop functioning.
The APC web/snmp management card, available as an option for some APC products (power management), contains a potential denial-of-service attack via a telnet connection to the card. APC has responded by recommending that the APC product should be firewalled to protect it from connections from outside the local area network.
The Netscape Collabra Server has been reported to be vulnerable to a denial-of-service attack via malicious packets sent to the 119, 5238, 5239 and 20749 ports. Filtering those ports is recommended; no vendor response has been seen so far.

Updates

Analog buffer overflow. An exploitable buffer overflow in analog was reported in the February 22nd LWN Security Summary. Version 4.16 contains a fix for the problem, which affects all earlier versions.

This week's updates:

Red Hat

Multiple vulnerabilities in bind 8.2.2 and bind 4. Check the February 1st LWN Security Summary for the initial reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4 fixes are also available, but an upgrade to bind 8 or even bind 9 is generally considered a preferable approach.

This week's updates:

Turbolinux

Previous updates:

Caldera Systems (February 1st)
Conectiva (February 1st)
Debian (February 1st)
Linux-Mandrake (February 1st)
Immunix (February 1st)
Red Hat (February 1st)
Slackware (February 1st)
SuSE (February 1st)

Trustix (February 1st)
Yellow Dog Linux (February 1st)
LinuxPPC (February 8th)
FreeBSD (February 8th)
Cobalt bind 8.2.3 (for the RaQ2 only) (February 8th)
Cobalt bind 4 (for the Qube1, RaQ1 and Qube2) (February 8th)
NetBSD (February 15th)

Sendmail 8.11.2 security fixes. Check the January 4th LWN Security Summary for the announcement of the release of sendmail 8.11.2. It includes fixes for a number of security issues found after 8.11.1 was released, including the "sendmail -bt negative index bug" reported by Michal Zalewski in October, 2000. Note that the exploitability of this bug was questioned, but in any case, it has been fixed as of sendmail 8.11.2.

This week's updates:

Turbolinux

dump-0.4b15 local root access. Check the November 2nd LWN Security Summary for the original report. This exploit only affects dump/restore if they are installed setuid root. As of dump-0.4b18, dump and restore no longer require setuid root. dump 0.4b20 was released in mid-November, 2000, with a fix for this problem.

This week's updates:

Immunix

Previous updates:

Red Hat 5.x and 6.x (Red Hat 7.0 not vulnerable) (November 9th, 2000)
Linux-Mandrake (not vulnerable) (November 9th, 2000)
Trustix (November 9th, 2000)
Conectiva (not vulnerable) (November 9th, 2000)
Kondara (November 9th, 2000)
SuSE, not vulnerable (November 16th, 2000)

Format string vulnerabilities in PHP. Check the October 19th LWN Security Summary for the original report. PHP 3.0.17 and 4.0.3 contain the fixes for these problems.

This week's updates:

Immunix

Previous updates:

Debian (October 19th, 2000)
Caldera (October 19th, 2000)
Linux-Mandrake (October 19th, 2000)
Conectiva (October 19th, 2000)
Red Hat (October 26th, 2000)
Immunix (October 26th, 2000)
FreeBSD (November 23rd, 2000)
Red Hat, Alpha packages added for RH7 (November 30th, 2000)

LPRng format string vulnerability. Check the September 28, 2000 LWN Security section for the first report of format string vulnerabilities in LPRng and lpr.

This week's updates:

Immunix, lpr

Previous updates:

Turbolinux
Caldera, LPRng (September 28th)
Red Hat, LPRng (October 5th)
Red Hat, lpr (October 5th)
Immunix, lpr (October 5th)
Linux-Mandrake, lpr (October 12th)
Conectiva, lpr (October 12th)
SuSE, LPRng (not vulnerable) (October 12th)
Trustix, LPRng (October 12th)

Resources

OpenSSH 2.5.1p2. A new, minor update to the portable version of OpenSSH 2.5.1p2 has been announced. The new version primarily contains bug-fixes, none of them specific to any security problem, but the upgrade is still recommended, possibly in particular to its bug-fixes for PAM failures seen on Linux (and Solaris) systems.

Events

Upcoming security events.

Date Event Location

March 3-6, 2001. EICAR and Anti-Malware Conference Munich, Germany.

March 26-29, 2001. Distributed Object Computing Security Workshop Annapolis, Maryland, USA.

March 27-28, 2001. eSecurity Boston, MA, USA.

March 28-30, 2001. CanSecWest/core01 Network Security Training Conference Vancouver, British Columbia, Canada.

March 29, 2001. Security of e-Finance and e-Commerce Forum Series Manhattan, New York, USA.

March 30-April 1, 2001. @LANta.CON Doraville, GA, USA.

April 6-8, 2001. Rubi Con 2001 Detroit, MI, USA.

April 8-12, 2001. RSA Conference 2001 San Francisco, CA, USA.

April 20-22, 2001. First annual iC0N security conference Cleveland, Ohio, USA.

April 22-25, 2001. Techno-Security 2001 Myrtle Beach, SC, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

March 1, 2001

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel