[LWN Logo]

 Main page
 On the Desktop
 Linux in the news
 Linux History
All in one big page

See also: last week's Security page.


News and Editorials

Strong ES vs Weak ES in TCP/IP implementations. This week, the most prolific discussion on BugTraq focused on the implementation of RFC 1122, which covers the TCP/IP communications protocol layers: link layer, IP layer, and transport layer. In the portion that discusses how to handle multi-homed hosts and the implementation of the loopback device, the RFC is somewhat ambiguous, providing two possible implementations without recommending between them. This week, a note was posted that pointed out the security implications of one of those two implementations.

Elias Levy posted an excerpt of the portion of the RFC that applies to this issue. The two implementations it describes are entitled "Strong ES Model" and "Weak ES Model". Under the Strong ES Model, packets arriving from one network interface will not be forwarded to other network interfaces unless forwarding is enabled. Under the Weak ES Model, the reverse is true, packets will be forwarded even with forwarding disabled. The Weak ES Model is the one that has some people concerned.

Why would this be a problem? Take a common setup, a host with two ethernet cards, one connected to an external network and the other connected to an internal network. If IP forwarding is disabled, an administrator might assume that a network service that listens only on the internal interface is not accessible to probing from hackers coming in on the external interface. Under the Weak ES Model, this is incorrect; unless a firewall is in place to prevent it, packets coming in on the external interface can be forwarded to the internal interface and therefore access (and possibly exploit) that network service.

So what model does Linux use? Following the BugTraq thread, we did not get a consistent answer. The original post claims that Red Hat 6.2 is not affected, other posts claim that Linux 2.2 follows the Weak ES model while 2.4 does not, still others claim that they've tested Linux 2.2.16 and it is not vulnerable, while tests of Linux 2.4 show that it is vulnerable. At this point, we can only sum it up by saying, "We don't know" (but we'll ask our resident kernel expert to look into it ...).

So two camps emerge from the discussion. One camp feels strongly that, because the Strong ES Model is slanted towards providing more security, it should be the default model (if not the only model). It is true that we are all advocating moving Linux in the direction of security-by-default; would the Strong ES model be a best-fit as a result?

The other camp quickly pointed out the functionality currently in use that depends on the Weak ES Model, including load balancers such as the Linux Virtual Server project, upon which Red Hat Piranha is based. In addition, there was a strong feeling that any security issues associated with the Weak ES Model can be fixed via a properly-configured local firewall.

In the end, the ability to choose between the Strong ES Model and the Weak ES Model seems to be highly desirable. Which model is chosen as the default can be easily left to the Linux distribution, possibly eventually defaulting to the Strong ES Model, as long as changing the configuration is a simple matter. Whether or not that gets done, of course, is a decision that will be made by the kernel developers.

Meanwhile, a clear problem that has been identified is the failure of our current HOWTOs to document the current model being used and the security implications of that model. Right now, systems administrators do not have the correct information they need to make the right configuration choices.

Uncovering the secrets of SE Linux: Part 1 (IBM developerWorks). Author Larry Loeb looks at the SE Linux code, the open sourced security-enhanced version of the Linux 2.2 kernel released by the National Security Agency. "If you haven't been following the cryptography area lately, let me assure you that this action by the NSA was the crypto equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fishes, and then inviting everyone to come over to his place to watch the soccer game and have a few beers."

A review of Intrusion Detection Systems. Back in January, we briefly discussed free software Intrusion Detection systems. This month, Dragos Ruiu has posted an in-depth evaluation of Snort, along with several commercial IDS systems; it's a worthwhile read for anyone interested in deploying an intrusion detection system. "IDS is a relatively new technology, but it is increasing in popularity, driven by the number of people starting to entrust valuable or mission-critical data to computer systems that they feel a need to install good risk management for. Along with this popularity comes a large number of commercial entrants, and new products, all with varying marketing claims - making purchase and evaluation difficult, particularly as the operation of these early-generation systems is still an enormously technical task, requiring a fairly deep and broad knowledge of networking protocols and technology."

The review shows the investment of a great deal of time and research; we look forward to the promised updated versions over time.

Turbolinux issues updated public key. Turbolinux has a new public key. Turbolinux users will want to download the new key in order to properly check the signatures on new Turbolinux security updates.

Security Reports

Apache directory listing error. In some circumstances, Apache 1.3.18 and earlier can be made to display a directory listing instead of an error message, by artificially creating a very long path with many slashes. A fix for the problem can be found in the recently-released Apache 1.3.19. Check this SecurityPortal posting for more details.

/bin/mail buffer overflow. A buffer overflow in /bin/mail was reported by SosPiro to the vuln-dev mailing list on February 28th, 2001. Note that the buffer overflow is not exploitable unless the binary is setuid or setgid, a configuration issue that differs between distributions. A quick check of the permissions on your local system is recommended, especially since the permissions may not be the same as the distribution's installation defaults.

PHP-Nuke 4.4.1a saveuser vulnerability. Security reports for PHP-Nuke continue to come in fast and furiously. This week, PHP-Nuke 4.4.1a was reported vulnerable via its saveuser function, which does not check input rigorously enough and, as a result, can be used to change another user's email address or gain their password. However, saveuser was singled out solely as a demonstration; apparently other PHP-Nuke functions can be exploited in the same manner. No patch or response from the PHP-Nuke team has been seen yet.

PHP 4.0.4 IMAP fix repercussions. A security fix for IMAP in PHP 4.0.4 can unfortunately break under some circumstances, causing the IMAP module to fail. PHP 4.0.4pl1 appears to contain a fix for the problem. Alternately, a patch for the problem is available that closes the original buffer overflow but reverts IMAP behavior otherwise back to match 4.0.3.

Mailman potential privacy hole. A potential privacy hole in Mailman has been fixed in the latest release, Mailman 2.0.2. The hole could allow list administrators to gain user passwords. Directly, the user passwords would be of little use to an administrator, but since many people use the same password in multiple places, the privacy violation is a concern. This is a recommended upgrade, if not for the privacy concern, then due to other "important" bug fixes in the release.

ePerl buffer overflows. Fumitoshi Ukai and Denis Barbier found and reported buffer overflows in ePerl which can be exploited if ePerl is installed setuid root. ePerl is used to expand Perl statements inside text files. If it is installed setuid root, then it can switch to the UID/GID of the script owner. As a result, even if not installed setuid root by default, some sites may choose to change the permissions to get this functionality.

man2html denial-of-service vulnerability. man2html, a program for converting files from the man page format to HTML, to allow them to be read via a web browser, has been reported to contain a denial-of-service vulnerability. Details on the problem are currently lacking, since we've seen the problem only via the Debian advisory below, at least so far.

mc binary execution vulnerability. Again, we have few details on this vulnerability, since it has not been reported on BugTraq but was instead first seen (by us) via the Debian advisory below, which describes the problem in general without giving technical specifics. It seems that Midnight Commander can be used by one local user to trick another user into executing a random program under uid of the person running Midnight Commander. Andrew V. Samoilov provided a fix for the problem.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • Infopop Ultimate Bulletin Board 5.0.x beta has been reported to contain a vulnerability that can be exploited to retrieve user cookies. An upgrade to Infopop Ultimate Bulletin Board 6.0 Beta should fix the problem.

  • Simple Server, a Java-based HTTP server, has been reported vulnerable to a directory- tranversal problem. No patch or vendor response has been seen so far.

  • post-query, a CGI-based script generally provided as sample CGI code, contains a remotely-exploitable buffer overflow. It is recommended that the script be removed from your system if it is present.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • SurgeFTP, an FTP server from NetWin that runs on Unix/Linux/Windows, is vulnerable to a local denial-of-service attack. The vendor has issued Build v1.1h of SurgeFTP which fixes the issue. Check BugTraq ID 2442 for more details.

  • Cisco IOS has been reported to contain a vulnerability that can allow the successful prediction of TCP Initial Sequence Numbers. This only impacts traffic originating or terminating on the Cisco itself. Free software upgrades are offered to fix the problem.


Zope security update. Digital Creations released a security update to Zope (all versions up to 2.3b1) fixing a security vulnerability in how ZClasses are handled the week of March 1st. An upgrade is recommended.

This week's updates:

Previous updates:

joe file handling vulnerability. Check the March 1st LWN Security Summary for the initial report.

This week's updates:

CUPS buffer overflow and temporary file creation problems. Check the March 1st LWN Security Summary for the initial report.

This week's updates:

Previous updates:

sudo buffer overflow. Check the March 1st LWN Security Summary for the original report.

This week's updates:

Previous updates:

Analog buffer overflow. An exploitable buffer overflow in analog was reported in the February 22nd LWN Security Summary. Version 4.16 contains a fix for the problem, which affects all earlier versions.

This week's updates:

Previous updates:

LICQ/GnomeICU denial-of-service vulnerability. Check the February 15th LWN Security Summary for the original report, which also noted a similar problem in kicq.

This week, Bill Soudan noted that the CVS code for kicq has been corrected, with thanks to Bernhard Rosenbraenzer at Red Hat.

Multiple vulnerabilities in ProFTPD. Check the February 8th, 2001 LWN Security Summary for details. ProFTPD 1.2.0rc3 contains fixes for all the above problems.

This week's updates:

  • Debian, updated advisory, Motorola 680x0 packages added
  • Debian, updated advisory, this one also fixes two Debian-specific configuration errors
Previous updates:

mgetty tmp file race problem. mgetty was one of twelve packages reported in January to contain tmp file race problems. Check the January 11th LWN Security Summary for the initial report.

This week's updates:

  • Debian, updated advisory, Motorola 680x0 and PowerPC added.
Previous updates:


RAID 2001 - Call for Papers. The Fourth International Symposium on the Recent Advances in Intrusion Detection, better known as RAID 2001, will take place on October 10th through the 12th, 2001, in Davis, CA, USA. The deadline for their Call-for-Papers is coming up soon, March 30th, 2001.

Upcoming security events.
Date Event Location
March 26-29, 2001. Distributed Object Computing Security Workshop Annapolis, Maryland, USA.
March 27-28, 2001. eSecurity Boston, MA, USA.
March 28-30, 2001. CanSecWest/core01 Network Security Training Conference Vancouver, British Columbia, Canada.
March 29, 2001. Security of e-Finance and e-Commerce Forum Series Manhattan, New York, USA.
March 30-April 1, 2001. @LANta.CON Doraville, GA, USA.
April 6-8, 2001. Rubi Con 2001 Detroit, MI, USA.
April 8-12, 2001. RSA Conference 2001 San Francisco, CA, USA.
April 20-22, 2001. First annual iC0N security conference Cleveland, Ohio, USA.
April 22-25, 2001. Techno-Security 2001 Myrtle Beach, SC, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

March 8, 2001

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds