On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Red Hat mkpasswd limitations. A limitation in the Red Hat mkpasswd command was discussed on BugTraq this week. Mkpasswd is an expect script that can be used to generate random passwords. Similar to a recently reported problem with a password generator for the Palm, it seems that mkpasswd uses an inadequate seed, based on the process ID, which results in a much smaller pool of passwords than is expected.
Of course, the smaller the pool of passwords, the easier it is to brute-force a password.
In addition to the importance of using a good random seed in the password generator, the need to reseed was also discussed. Using the Tcl 8 rand() function as an example, it was shown that seeding only once produce in the range of 22,000 passwords before duplicates began to occur. The Tcl 8 rand() function uses the system clock for a seed. Alternately using a weaker seed but reseeding with each invocation, more than 45,000 passwords were generated without a duplicate occurring.
We expect an update for the Red Hat mkpasswd command will be provided in the near future. Meanwhile, sites that use password generators to assign passwords may want to look more closely at the algorithms upon which they are depending.
Disabling Module Loading Caveat. A piece of information was accidentally left out of last week's lead-in editorial, which talked about using the capability bounding set to disable the loading of kernel modules. In June of 2000, Patrick Reynolds sent in a Letter to the Editor pointing out that "/proc/sys/kernel/cap-bound maps directly to the cap_bset variable in kernel memory". As a result, unless CAP_SYS_RAWIO is disabled (it controls access to /dev/mem), it is possible to use /dev/mem to load new code into the kernel (this will require access to a valid System.map file).
Unfortunately, disabling /dev/mem will break many things, including X and potentially many other user-space programs.
The use of capability bounding sets will still assist in protecting systems from many current rootkits that use loadable kernel modules, but, as common with most security issues, they only provide a partial solution. (Thanks to Neale Pickett for pointing out our error in omitting this information last week).
Carko distributed-denial-of-service tool. A new distributed denial-of-service tool, named Carko, was reported on various systems this week. Carko is a clone of stacheldraht+antigl+yps, with apparently as little as one source code line difference. However, it has been updated to leverage much newer vulnerabilities, in particular a buffer overflow in snmpXdmid under Solaris.
Although Carko is not currently targeting Linux vulnerabilities, it is a reminder that the problem of distributed denial-of-service attacks has not been resolved. For now, the best defense for all of us is not only to close all vulnerabilities on our own systems in a timely manner, but also to encourage and support everyone else we know to do likewise. Carko is spreading because the availability of hosts with open vulnerabilities is vast.
CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for April is out. It covers computer security from a military defensive point of view, the fake Microsoft certificates, and more.
Microsoft: Closed source is more secure (SecurityFocus). SecurityFocus has put up a report from Microsoft security head Steve Lipner's talk at the RSA Conference. "Lipner slammed the open source development process, suggesting that the often-voluntary nature of creating works like the Linux operating system make it less disciplined, and less secure. 'The open source model tends to emphasize design and development. Testing is boring and expensive.'"
Reading through the comments posted to SecurityFocus revealed little support for Lipner's words, but that could be expected from an audience that is both security-savvy and extremely familiar with Open Source software. The most relevant comment we found was from "Will" who pointed out that the majority of advisories from Microsoft credit people outside their own staff for finding the security holes. That indicates that a "dedicated, trained, full time and paid" staff isn't the answer either. Neither closed source nor Open Source software is as secure as it needs to become.
Linux Kernel 2.4 Netfilter/IPTables vulnerability.Under Linux 2.4, IPTables is used for building firewalls. It is implemented under the NetFilter framework, a raw framework for filtering and mangling packets. A vulnerability has been reported in the manner that the RELATED state is implemented which can be exploited to potentially bypass a firewall and access ports that are assumed to be protected.
The NetFilter team has provided a patch for Linux 2.4.3. Note that the patch may be subject to future revision; a URL is provided where the latest version can be found. Presumably the patch, or its future incarnation, will be provided in an upcoming version of 2.4. Meanwhile, the original posting provides details that network engineers will want to examine to improve and tighten the use of the RELATED state.
Samba 2.0.8 security issue.Andrew Tridgell posted a note to BugTraq that Samba 2.0.8 has been released to address a significant security vulnerability that allows local users to corrupt local devices (such as raw disks).
cfingerd format string vulnerability.A format string vulnerability has been reported in cfingerd ("Configurable Finger Daemon") which can be used remotely to gain root privileges and execute arbitrary code. An exploit for this vulnerability has been published and a patch to fix the problem is available.
Debian Security Advisory for exuberant-ctags.Colin Phipps discovered that the exuberant-ctags package, as distributed with Debian GNU/Linux 2.2, creates temporary files insecurely. This has been fixed in version 1:3.2.4-0.1 of the Debian package, and upstream version 3.5. Other distributions that ship this package will also be impacted.
bubblemon kmem permissions vulnerability.bubblemon, an application that displays CPU and memory load as bubbles in a jar of water, is installed setgid kmem under FreeBSD. As a result, it can be exploited to execute arbitrary commands under group kmem. It has not been reported whether or not the same problem crops up on other BSD systems or on Linux. A new version, Bubblemon 1.32, has been released with a fix for the problem.
web scripts.The following web scripts were reported to contain vulnerabilities:
Commercial products.The following commercial products were reported to contain vulnerabilities:
This week's updates:
ntp remotely exploitable static buffer overflow.An exploit for a static buffer overflow in the Network Time Protocol (ntp) was published on April 4th. This exploit can allow a remote attacker to crash the ntp daemon and possibly execute arbitrary commands on the host. Patches and new packages to fix this problem came out quickly. It is recommended that you upgrade your ntp package immediately. If you cannot, disabling the service until you can is a good idea. For more details and links to related posts, check BugTraq ID 2540.
This week's updates:
IP Filter fragment caching vulnerability.Check the April 12th LWN Security Summary for the original report. IP Filter 3.4.17 has been released with a fix for the problem. BugTraq ID 2545.
This week's updates:
Multiple FTP daemon globbing vulnerability.Check the April 12th LWN Security Summary for the original report.
This week's updates:
ptrace/execve/procfs race condition in the Linux kernel 2.2.18.Exploits were released the week of March 29th for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. As a result, an upgrade to Linux 2.2.19 is recommended.
Last week, Alan Cox put up the Linux 2.2.19 release notes, finally giving the specifics on all the security-related fixes in 2.2.19 (all thirteen of them!) and giving credit to the Openwall project and Chris Evans, for the majority of the third-party testing and auditing work that turned up these bugs. Fixes for the same bugs have also been ported forward into the 2.4.X kernel series.
This week's updates:
OpenSSH 2.5.2p2 released.OpenSSH 2.5.2p2 was announced the week of March 29th. It contains a number of fixes (including improvements in the defenses against the passive analysis attacks discussed in the March 22nd LWN security page) and quite a few new features as well.
This week's updates:
pico symbolic link vulnerability.Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.
This is the first distribution update we've seen for this four-month-old vulnerability.
This week's update:
Hacker Tools and Their Signatures, Part One: bind8x.c. Toby Miller has started a series of articles detailing hacker exploits/tools and their signatures. The first article in this series focuses on bind8x.c. "The discussion will cover the details of bind8x.c and provide signatures that will assist an IDS analyst in detecting it. This paper assumes that the reader has some basic knowledge of TCP/IP and understands the tcpdump format".
New Security Mailing Lists. In an apparent effort to lessen the load on the BugTraq mailing list, Security Focus has announced four new mailinglists:
Adore Detection. Duncan Simpson wrote in this week to point out a couple of tools that can be used to detect the Adore worm, including rkscan and checkps 1.3.2. "Checkps 1.3.2 in kill scanning mode should now detect adore due to two additional tests as to whether a pid really exists (adore "fixes" the kill system call)".
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Liz Coolbaugh
April 19, 2001