Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsA new trend in security reporting? Pre-release advisories. This week marks the first time that we've seen "pre-release" versions of security advisories issued. In this case, "pre-release" advisories of vulnerabilities that are being discussed at this week's Black Hat briefings in Asia were issued by Asher Glynn from Secure Reality Pty in Australia. The vulnerabilities discussed impacted:
Fortunately, patches to fix the reported problem are provided and the pre-releases indicate that the authors were notified. So are "pre-release" advisories a good thing or a bad thing? What was the motivation for issuing the pre-releases? It can certainly be viewed as a good thing that a warning of the vulnerability, complete with patches, was shared with the entire community before it was divulged as part of a conference proceedings. On the other hand, the pre-release also serves as a nice advertisement for the upcoming talk. Withholding details of the vulnerability might draw ire among many, but because patches for the problem have already been provided, anyone who wishes to figure out the vulnerability has all the material they need to examine it themselves. So the only value withheld was the full description of the vulnerability, how it was found, how it was fixed, etc. Overall, we are happy to see a pre-release, rather than no information at all, before details of new vulnerabilities are discussed in a conference setting. On the other hand, it is essential that such pre-releases provide patches or links to fixed versions of the vulnerable software, both to allow people to secure their systems and to provide a means of verifying the existence of the vulnerabilities. Linux Security Module Project update. On this week's kernel page, Jonathan Corbet takes a look at the Linux Security Module Project, why it exists and how it is implemented. "This work is proceeding quickly; people who have an interest in how security modules hook into the system may want to make their views known before too long". Researchers face legal threats over SDMI hack (News.com). News.com reports on the threats against Edward Felten and company, who are planning to release the information on how they cracked the Secure Digitial Music Initiative watermarking scheme (as covered on this week's front page). "'Your contemplated disclosure appears to be motivated by a desire to engage in scientific research that will ensure that SDMI does not deploy a flawed system,' the letter says. 'Unfortunately, the disclosure that you are contemplating could result in significantly broader consequences and could directly lead to the illegal distribution of copyrighted material.'" Finding Fences in Cyberspace: Privacy and Open Access on the Internet (Journal of Technology Law and Policy). Ethan Preston has published a long article in the Journal of Technology Law and Policy which recommends that the term "Cyberspace" move from its current ad-hoc usage in language to being used in a legal sense, to provide a metaphor around which new legal language can be developed to address Cyberspace issues. "Law is based on language; law that diverges from the language that forms its base risks incoherence. Incoherent law is unpredictable. At the same time, facts develop and evolve much more rapidly than language, but injustice ensues if the law does not respond to changing circumstances". [From ISN]. CERT: The Next Generation (InfoWarrior.org). Richard Forno has published an article that takes a look at the changing face of CERT. "The CERT-EIA Internet Security Alliance will fail to be effective for several reasons, not the least of is that this new organization is charging for services found for free (or cheaper) elsewhere". Also addressing the recent changes at CERT is this article at The Register. "That said, CERT still has its detractors among Internet security specialists, many of whom question the fairness of making current threat information which affects all Net users and systems administrators available to a select few, while everyone else must wait over a month for the free abstracts". Security updates for Linux-Mandrake 7.0 and earlier discontinued. Simultaneous to announcing the release of Linux-Mandrake 8.0, MandrakeSoft also announced that security updates for Linux-Mandrake 7.0 and earlier would no longer be provided. They recommend that you upgrade your system to Linux-Mandrake 7.1, 7.2 or 8.0 (though obviously they would prefer 8.0). Security ReportsMultiple security fixes in OpenSSL-0.9.6a. Jim Knoble dropped a note to BugTraq this week pointing out that OpenSSL-0.9.6a was announced this week and contains fixes for four security issues.The announcement closes with this message from the OpenSSL team: "We consider OpenSSL 0.9.6a to be the best version of OpenSSL available and we strongly recommend that users of older versions, especially of old SSLeay versions, upgrade as soon as possible". Expect to see new packages from the distributors once they've had a chance to test the new release. Presumably new versions of OpenSSH, compiled against the new OpenSSL, will also be forthcoming. KFM Insecure TMP File Creation Vulnerability. KFM is the KDE File Manager, provided in versions of KDE prior to KDE 2.X. KFM has been reported to create and use a directory in /tmp in an insecure manner. As a result, an attacker could use this vulnerability easily to overwrite or replace any file owned by the KFM user. We checked with Kurt Granroth at KDE and confirmed that no patch for this problem is currently available or planned. "We no longer support KDE1 in any way. The recommended 'patch' for this is to update to KDE2".Unfortunately, the version of KDE currently installed on many (if not most) Linux systems is KDE 1 (witness the popularity of the Red Hat 6.2 implementation). Upgrading to KDE 2, while it can be done without upgrading the entire operating system, will likely be postponed until an operating system upgrade is performed, which leaves a lot of people with a security vulnerability and no quick fix. Fortunately, the severity of this particular vulnerability is somewhat limited, requiring local access and not providing root privileges (unless someone is unwise enough to be running kfm as root). NEdit temporary file link vulnerability. NEdit, also known as the "Nirvana Editor", has been reported to contain a temporary file link vulnerability. Browsing through the NEdit.org website and mailing list, we did not see any official patches or updates for the program, so the patches provided by SuSE appear to be the first ones made available, to the best of our knowledge. BugTraq ID 2627.SAFT/sendfile broken privileges. Sendfile is a Simple Asynchronous File Transfer (SAFT) implementation. SAFT is a relatively-new Internet protocol designed to allow people to asynchronously send files to someone without using mail attachments and MIME. This past week, Colin Phipps and Daniel Kobras discovered and fixed several serious bugs in the saft daemon `sendfiled' in which privileges were dropped incorrectly. These bugs could be exploited locally to gain root privileges. BugTraq ID 2631 and .
innfeed command-line buffer overflow. A buffer overflow in innfeed was reported this week. It is exploited via the "-c" command-line option, which can be run locally. Intel-based exploits have been published. Versions of INN prior to 2.3.0 include the vulnerable innfeed. An upgrade to INN 2.3.0 or later is recommended to resolve the problem.Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesSamba local disk corruption vulnerability. Check the April 19th LWN Security Summary for the original report. This problem has been fixed in Samba 2.0.8 and an upgrade is recommended. Note that all versions of Samba from (and including) 1.9.17alpha4 are vulnerable (except 2.0.8, of course). BugTraq ID 2617.This week's updates:
Linux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19th LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3. Note that the patch may be subject to future revision; a URL is provided where the latest version can be found.This week's updates:
cfingerd format string vulnerability. Check the April 19th LWN Security Summary for the original report. This can be exploited remotely to gain root privileges and execute arbitrary code.This week's updates: Previous updates:
Hylafax format string vulnerability. Check the April 19th LWN Security Summary for the original report. Hylafax has released patches to fix the problem.This week's updates: Debian Security Advisory for exuberant-ctags. Check the April 19th LWN Security Summary for the initial report.This week's updates:
Netscape 4.76 GIF comment vulnerability. Check the April 12th LWN Security Summary for the original report. The vulnerability can be used to embed executable Javascript in GIF comments which are then executed by the viewer when loading the GIF file. This has been fixed in Netscape 4.77, which is available for download from ftp.netscape.com.Note that the Immunix update for Netscape, listed below, is not StackGuarded. Apparently Netscape doesn't rebuild under StackGuard easily. The Immunix team did note that they have a version of Mozilla compiled with StackGuard which required "a few hacks". They are not directly supporting it, but would be happy to turn the patches over to a Mozilla developer, if there is anyone interested. This week's updates: Previous updates:
Multiple FTP daemon globbing vulnerabilities. Check the April 12th LWN Security Summary for the original report.This week's updates: Previous updates:IP Filter fragment caching vulnerability. Check the April 12th LWN Security Summary for the initial report. IP Filter 3.4.17 has been released with a fix for the problem. BugTraq ID 2545.This week's updates: ptrace/execve/procfs race condition in the Linux kernel 2.2.18. Exploits were released the week of March 29th for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. As a result, an upgrade to Linux 2.2.19 is recommended.The Linux 2.2.19 release notes give the specifics on all the security-related fixes in 2.2.19 (all thirteen of them!) and give credit to the Openwall project and Chris Evans, for the majority of the third-party testing and auditing work that turned up these bugs. Fixes for the same bugs have also been ported forward into the 2.4.X kernel series. This week's updates: Previous updates:
licq URL checking problem. Check the March 22nd LWN Security Summary for the original report.This week's updates: Previous updates:
slrn buffer overflow. Check the March 15, 2001 LWN for the original report. This week's updates: Previous updates:
sudo buffer overflow. Check the March 1st LWN Security Summary for the original report.This week's updates: Previous updates:
mgetty tmp file race problem. mgetty was one of twelve packages reported in January to contain tmp file race problems. Check the January 11th LWN Security Summary for the initial report.This week's updates: Previous updates:
ResourcesKnow Your Enemy: Honeynets. LinuxSecurity.com features an article this month entitled "Know Your Enemy: Honeynets. Written by the Honeynet Project, this article describes what a Honeynet is and how to build one of your own. "A Honeynet is a tool for learning. It is a network of production systems designed to be compromised. Once compromised, this information is captured and analyzed to learn about the blackhat community. This idea is similar to honeypots, but there are several differences". The paper is also available directly on the Honeynet Project site, along with the results from the April Scan of the Month. Perhaps most interesting, though, are these comments from Lance Spitzner of the Honeynet Team. In them, he mentions a growing trend among script kiddies: don't bother to check whether or not a system is vulnerable first, just try the exploit and move on to the next system if it fails. "We have confirmed this brute force approach with the Honeynet Project. We have several different operating systems within our Honeynet, to include both Linux and Solaris. Often both systems are attacked with the same exploit, even though the attacks are architecture dependent (such as X86 or Sparc)". What is the impact of this change in tactics? A lot more intrusion attempts and a lot more bandwidth usage, for a start. Common threads (IBM developerWorks). For flexible (and fun) network security, this IBM developerWorks article shows how to create and use dynamic iptables firewalls. MaraDNS 0.5.13 released. Another entrant into the field of alternate domain name servers, MaraDNS 0.5.13 is the latest version of this new Open Source name server. "Currently, MaraDNS is an authoritative-only nameserver. In other words, she has no support for caching or for "recursive name queries". I plan on having a stable release of MaraDNS with this ability released in early June". MaraDNS is public domain code. While this is just about as free as it can get, the lack of legal protection will make it less desirable to many who prefer not to see their contributions potentially used in non-Open Source projects. Check the MaraDNS website for more information. Netping. Lukasz Luzar has released a tool he calls netping. "I wrote a nice tool for scanning of networks to determine whether ICMP direct broadcast addressing is enabled (old, but still dangerous "smurf attack" issue)". EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
April 26, 2001
LWN Resources | |||||||||||||||||||||||||||||||||||||||||