[LWN Logo]

 Main page
 On the Desktop
 Linux in the news
 Linux History
All in one big page

See also: last week's Security page.


News and Editorials

Adore those kernel modules. It seems highly likely the name of the Adore worm was chosen partially because it provides opportunity for so many humorous headlines and off-hand comments. However, there are a couple of points about the Adore worm that did not come to light before we published last week. The most important point is that the Adore worm, unlike the Ramen and Lion worms of which it was considered to be a variant, is the first worm to use a loadable Linux kernel module to hide its tracks.

We've been discussing the security impact of loadable kernel modules for some time. For example, in June of 2000, when a loadable kernel module (capcheck) was released in order to close a security vulnerability in the kernel (the 2.2 capability bug). This fix demonstrated the scope of loadable kernel modules, making it pretty much inevitable that rootkits such as Knark and now the Adore worm would make use of them on behalf of attackers.

Further back than that, though, we also discussed how the ability to load kernel modules could be disabled on a running system, by removing CAP_SYS_MODULE from the capability bounding set (see the December 2nd, 1999 Kernel Page) for instructions and caveats). Although root has the ability to remove capabilities, only init has the ability to add them. This means that loadable kernel modules can be used initially, when your system is booted, but then they can be disabled, preventing root kits like Knark and worms like Adore from using loadable kernel modules to cover their tracks.

This was considered something that only the most security-conscious sites would be interested in back in 1999. Nowadays, it is a configuration option that may want to be seriously considered by Linux distributors, particularly those that are marketing themselves as secure by default.

Cybercrime Treaty. A commentary on the International Treaty on Cybercrime from a lawyer's perspective marvels at the lack of attention paid to this bill, which could have enormous implications in terms of requiring law enforcement agencies, phone companies, ISPs and more to comply with evidence orders from nations all around the world. "One moment, an Internet provider might be turning over all Bulgarian folk songs on its system to an investigator. The next moment, it might be searching for e-mail traffic between customers in Latvia and the Ukraine".

Federal Computer Incident Response Center contracts out. The Federal Computer Incident Response Center is currently supported by a contract with CERT. According to this report, that will soon change. Day-to-day operations will, instead, be performed by Science Applications International Corp. (SAIC) and its partner Global Integrity Information Security. "The two companies proved their effectiveness during the 'ILOVEYOU' e-mail virus from the Philippines in May 2000. They were able to inform their customer, the Financial Services Information Sharing and Analysis Center, about the virus and how to counteract it hours before even the Defense Department could spread the word to the United States".

PGP Security's NAI Labs Partner With NSA. NAI Labs, a division of PGP Security, announced they are joining with the National Security Agency (NSA) and its other partners to further develop the NSA's Security-Enhanced Linux (SELinux) prototype. The $1.2 million deal will be paid over the life of the two-year contract, and the work will focus on research and development to improve the security of open-source operating system platforms

Security Reports

ntp remotely exploitable static buffer overflow. An exploit for a static buffer overflow in the Network Time Protocol (ntp) was published on April 4th. This exploit can allow a remote attacker to crash the ntp daemon and possibly execute arbitrary commands on the host. Patches and new packages to fix this problem came out quickly. It is recommended that you upgrade your ntp package immediately. If you cannot, disabling the service until you can is a good idea. For more details and links to related posts, check BugTraq ID 2540.

This week's updates:

Netscape 4.76 GIF comment vulnerability. Florian Wesch discovered that Netscape 4.76 would display the comment attached to a GIF file, but does not filter the displayed comment in any manner, allowing embedded javascript in a comment to be directly executed. This is apparently fixed as of Netscape 4.77, which is available for download from ftp.netscape.com.

IP Filter fragment caching vulnerability. IP Filter is a TCP/IP packet filter used in FreeBSD, NetBSD and OpenBSD. Darren Reed reported a serious vulnerability in IPFilter in which fragment caching can be used to pass through any packet, essentially destroying the function of the firewall. When matching fragments, only the source IP address, destination IP address and IP identification number are checked before the fragment cache is used. This is done before any rules are checked.

IP Filter 3.4.17 has been released with a fix for the problem. Check BugTraq ID 2545 for additional details.

Multiple FTP daemon globbing vulnerability. The FTP daemons used on BSD (and other Unix) systems have been reported vulnerable to multiple buffer overflows in glob() function. Check the related CERT advisory for more details.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • talkback.cgi, a cgi script from Way to the Web, is reported to contain a file disclosure vulnerability that can be used to view any file on the host. An updated version of the script has been released.

  • The perl script nph-maillist.pl, part of a web-based email list generator, does not filter input sufficiently and can be used to execute arbitrary commands. An exploit has been published; no vendor response so far. BugTraq ID 2563.

  • Ultimate Bulletin Board (UBB) Version 5.47e, an older and currently supported version of UBB, has been reported to be vulnerable to a password bypass vulnerability in its forum. This can allow an attacker to gain access to any message on the forum, regardless of membership privilege or password requirements. An upgrade to Ultimate Bulletin Board 6.01 should to fix the problem.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • Multiple vulnerabilities have been reported in Alcatel ADSL-Ethernet bridge devices, the most serious of which include both a cryptographic challenge back-door and the ability to remotely load new firmware, potentially including firmware containing sniffers or other attack software. No workaround or fix has been reported so far, nor any vendor response. Check the related CERT advisory for more details. Here is another related posting. BugTraq ID 2568 and 2566.

  • The Caucho Technology Resin webserver is reported to contain a JavaBean disclosure vulnerability. Resin is a commercial product released under a Developer Source license, meaning that, although development use is free, a license is required to deploy a product that includes or is developed with Resin. This vulnerability allows read access to any known JavaBean file residing on a host running Resin. No fix for this has yet been reported.

  • Cisco has reported that their Content Services (CSS) switch, also known as Arrowpoint, in older releases contains a security vulnerability that can allow a non-privileged user to escalate their privilege level. Free software upgrades are offered to resolve the problem.

  • The Watchguard Firebox II has been reported vulnerable to a denial-of-service attack when subject to bursts of specific malformed packets. The vendor has released an update.

  • The BinTec X4000 Router is reported to be vulnerable to a denial-of-service vulnerability because a SYN portscan will cause a lockup. Workarounds for the problem have been posted and include feedback from Bintec.

  • A denial-of-service vulnerability has been reported in the PIX Firewall 5.1. Cisco is working on the problem, but having difficulties recreating it.


ptrace/execve/procfs race condition in the Linux kernel 2.2.18. Exploits were released the week of March 29th for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. As a result, an upgrade to Linux 2.2.19 is recommended.

Last week, Alan Cox put up the Linux 2.2.19 release notes, finally giving the specifics on all the security-related fixes in 2.2.19 (all thirteen of them!) and giving credit to the Openwall project and Chris Evans, for the majority of the third-party testing and auditing work that turned up these bugs. Fixes for the same bugs have also been ported forward into the 2.4.X kernel series.

This week's updates:

Previous updates:
  • Immunix (March 29th)
  • Linux 2.2.19 release notes
  • Caldera, 2.2.19 security fixes (April 5th) backported to 2.2.10 and 2.2.14, the kernels used in various Caldera products

VIM statusline Text-Embedded Command Execution Vulnerability. A security problem was reported in VIM last week where VIM codes could be maliciously embedded in files and then executed in vim-enhanced or vim-X11. Check BugTraq ID 2510 for more details.

This week's updates:

Previous updates:

mailx buffer overflow. Check the March 15th LWN Security Summary for the original report. The buffer overflow is only exploitable if the program is shipped setgid mail.

This week's updates:

Previous updates:

mc binary execution vulnerability. Check the March 8th LWN Security Summary or BugTraq ID 2016 for more details.

This week's updates:

Previous updates:

joe file handling vulnerability. Check the March 1st LWN Security Summary for the initial report.

This week's updates:

  • Slackware (from the Changelog, updated April 10th)
Previous updates:

Multiple vulnerabilities in splitvt. Multiple vulnerabilities were reported in splitvt in the January 18th LWN Security Summary, including several buffer overflows and a format string vulnerability. An upgrade to splitvt 1.6.5 should resolve the problems.

This week's updates:

  • Slackware (from the Changelog, updated April 10th)
Previous updates:
  • Debian (January 25th)
  • Debian, updated advisory due to package mixup (January 25th)

pico symbolic link vulnerability. Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.

This is the first distribution update we've seen for this four-month-old vulnerability.

This week's update:


Trustix Secure Linux 1.4.80. Trustix has announced the release of Trustix Secure Linux 1.4.80, a beta release toward the 1.5 stable version. It is nicknamed "Ooops," and is incompatible with 1.2 in a number of ways; read the announcement closely.

Lion Internet Worm Analysis. Max Vision has posted his analysis of the Lion worm and the three variants of it that have been identified so far. (Thanks to Jose Nazario).

Security Focus announces Malware Repository. Security Focus announced this week that they will be maintaining a repository of malware samples in order to make such software readily available for analysis. "Initially, the page will contain samples for Ramen, Lion, and Adore, plus anything else that comes out between now and then. We will be maintaining copies of new items from now on, and will not be making an attempt to go back in time to get a complete collection, unless someone wants to volunteer a personal collection".

Bastille Linux 1.2.0rc1. Bastille Linux has version 1.2.0rc1, the first release candidate for their upcoming 1.2.0 release. This version is considered stable enough for use on production systems.

Detecting Loadable Kernel Modules (LKM). Toby Miller has posted a paper on detecting loadable kernel modules. It goes over the basics of loadable kernel modules, /lib/modules, conf.modules and kstat.

Linux Security Module mailing list. Crispin Cowan has announced a new mailing list called linux-security-module. "The charter is to design, implement, and maintain suitable enhancements to the LKM to support a reasonable set of security enhancement packages. The prototypical module to be produced would be to port the POSIX Privs code out of the kernel and make it a module. An essential part of this project will be that the resulting work is acceptable for the mainline Linux kernel"


Upcoming Security Events.
Date Event Location
April 12, 2001RSA Conference 2001San Francisco, CA, USA
April 17 - 18, 2001E-Security ConferenceNew York City, NY, USA
April 20 - 22, 2001First annual iC0N security conferenceCleveland, Ohio, USA
April 22 - 25, 2001Techno-Security 2001Myrtle Beach, SC, USA
April 24 - 26, 2001Infosecurity Europe 2001London, Britain, UK
May 13 - 16, 20012001 IEEE Symposium on SecurityOakland, CA, USA
May 13 - 16, 2001CHES 2001Paris, France
May 29, 2001Security of Mobile Multiagent Systems(SEMAS-2001)Montreal, Canada
May 31 - June 1, 2001The first European Electronic Signatures SummitLondon, England, UK
June 1 - 3, 2001Summercon 2001Amsterdam, Netherlands
June 4 - 8, 2001TISC 2001Los Angeles, CA, USA
June 5 - 6, 20012nd Annual IEEE Systems, Man, and Cybernetics Information Assurance WorkshopUnited States Military Academy, Westpoint, New York, USA
June 11 - 12, 20017th Annual Information Security Conference: Securing the Infocosm: Security, Privacy and RiskOrlando, FL, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

April 12, 2001

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds