See also: last week's Security page.

Security

News and Editorials

CylantSecure for Linux. We generally don't profile new commercial products for Linux on this page, preferring to focus on Open Source products and solutions instead. However, the announcement of the availability of CylantSecure for Linux caught our eye for a couple of reasons.

The first reason, a quite positive one, was the approach being used by the product. Most of the current focus of intrusion detection systems look either at the input to the system (e.g., network connections, attack signatures) or the output from the system (file checksums, etc.). CylantSecure looks instead at the behavior of the system itself, producing a model for what the "normal" behavior of the CPU is, when in production use, and therefore detecting "abnormal" behavior and actively dropping connections or terminating processes that display abnormal behavior.

This was interesting to us because it, in many ways, resembles how a good systems administrator monitors a system, or would monitor a system, if they had the time to watch it closely 24 hours a day. The system administrator knows what the machine is used for, the people that use it and the behavior of the machine under normal load. Abnormal behavior means something needs to be fixed, whether the "something" is a security problem, a network problem, a disk problem, etc. So a security model that scientifically models the behavior that a system administrator "learns" as part of the job, was definitely of interest.

The second reason CylantSecure for Linux caught our eye, though, was its implementation. To be specific, its implementation includes the use of binary kernel modules, which gave us strong concerns. Linus has strongly deprecated the use of binary kernel modules even for device drivers, for many good reasons. The use of binary kernel modules to implement core functionality in a new security product was, in our opinion, a very bad idea. Fortunately, a phone interview with Cylant CEO and founder John Munson and Scott Wimer, their Director of Product Development, cleared up our concern, as we explain below.

Implementation. CylantSecure for Linux is implemented in four pieces. The first consists of two patches to the Linux kernel which modify the kernel data structure to allow the gathering of information about actions taken by the kernel, both the action taken and the process id associated with that action. This goes beyond just tagging system calls; the second of the two patches inserts instrumentation (new function calls) into over 3300 places in the kernel. The source code for these patches is fully available, and therefore not a concern. It is, however, large, running over 300K in size.

The second piece of CylantSecure consists of binary kernel modules which actually collect the data from the kernel, create profiles from it and pass information on to the third piece, a user-space process called "Watcher". We were very happy to learn from our interview with John and Scott that the source code for these modules will be released in the near future and that they were never intended to remain closed source. Currently the modules are going through a re-design. As soon as that re-design is complete and, as a result, the code is clean and maintainable enough to be a "worthwhile gift to the Open Source community", Scott assured us that the code would be released.

The remaining two pieces of CylantSecure are the Watcher, mentioned above, and the console management system. The management system may also be Open Sourced, but that decision has not yet been finalized. The Watcher program will remain closed source. In fact, a patent is pending on the techniques used in the Watcher program to model the system behavior. Software patent-watchers within the community will have to judge the virtue of this patent compared to the many other software patents that we have often deprecated, but it is certainly not quite the same as putting a patent on "point-and-click". Nonetheless, if someone believes there is already prior art for this patent, we would be interested to hear about it.

It should be noted that CylantSecure for Linux was primarily a proof-of-concept product; they chose the Linux kernel for their first project because it is an extremely large, complex and stable piece of software. The techniques used, though, are just as applicable to any other large software system, such as accounting systems, payroll, traffic analysis, any software system where reliability and security is essential. In fact, they are as applicable to ensuring reliable data input as to preventing intrusions.

But does it work? The folks at CylantSecure believe it does but state up front that they are engineers, implementing a scientific engineering principle, not security experts. They don't have a background in breaking into systems themselves. As a result, they have made a victim machine available and promised to give it to the first person that successfully "owns" the box. The box is running an unpatched installation of Red Hat Linux 6.2, so there are plenty of security holes available. The question is whether an attacker can gain access and keep it without being detected and shunted off the system by CylantSecure.

We'll be interested to hear about the results. No non-disclosures are required and they even have an IRC channel available to allow attackers to chat directly with their developers.

Overall, we found the new paradigm being explored very interesting and we are looking forward to seeing the reaction of the security community to their approach.

New Linux-targeted worm: lpdw0rm. SecurityFocus has released their analysis of a new worm, lpdw0rm. This particular worm is targeted at systems running unpatched versions of Red Hat Linux 7.0 that are running the LPRng service, one of the vulnerabilities that previous worms have also targeted.

Installing Red Hat's patch for LPRng (made available back in October) will prevent a system from being successfully attacked.

Predictable TCP initial sequence numbers. We first mentioned the problem of preditable TCP initial sequence numbers in the March 15th LWN Security Summary. The original report came from Guardent, a Massachusetts-based security firm who published the existence of the weakness, but not their own research on the topic. This week, more information was released.

• A paper from Michal Zalewski entitled Strange Attractors and TCP/IP Sequence Number Analysis describing "the use of dynamical system methods to analyze and predict TCP initial sequence numbers".

• Tim Newsham's paper on the topic, which Guardent has finally released.

• CERT's advisory on the topic. "TCP initial sequence numbers were not designed to provide proof against TCP connection attacks. The lack of cryptographically-strong security options for the TCP header itself is a deficiency that technologies like IPSec try to address. It must be noted that in the final analysis, if an attacker has the ability to see unencrypted TCP traffic generated from a site, that site is vulnerable to various TCP attacks - not just those mentioned here. The only definitive proof against all forms of TCP attack is end-to-end cryptographic solutions like those outlined in various IPSec documents".

Security Hall of Shame: Tektronix. Elias Levy, moderator of BugTraq, found recent information posted about security vulnerabilities in the Tektronix Phaser Network Printer Administration Interface annoying enough to send out a personal comment on them. "This is not a major vulnerability. The only reason I bring it to your attention is because this is standard operating procedure for many companies. They release a products in the market with no or little security. When someone points this out to them they ignore him. When its pointed out in public they threaten to sue him. When they fix it they do it just as badly as the original security measure. And a few months latter the product is shown to be insecure once again".

What was it that caught Elias' attention enough to generate so much ire? The original report of this vulnerability was made in November of 1999. The vulnerability is severe enough that it can be potentially used to permanently damage the printer. Instead of resolving the actual security problems, Tektronix simply changed the URL that could previously be used for the attack by adding an underscore at the beginning and changing the ".html" suffix to ".shtml".

In addition, non-Tektronix posters had provided a workaround to improve the security of the printer, which Tektronix has since broken.

Of course, the potential impact of the vulnerability can be mitigated by keeping the printer behind a firewall and restricting access to the local network. Meanwhile, Tektronix does not believe that anyone actually cares about this vulnerability. For our part, we would expect any security-conscious site to remove Tektronix from their list of acceptable vendors, given the level of cluelessness and ineptness demonstrated in the way this vulnerability has been handled.

Call for Articles: SecurityFocus focuses on Incident Handling. SecurityFocus is developing articles for a planned series on Incident Handling, scheduled for publication from June onwards. If you are interested in provided an article for them, check their call for articles.

Security Reports

Zope Zclass security update. A new security bug has been found in all versions of Zope (up to and including 2.3.2) which can allow unauthorized access to a clever attacker. A patch is available which fixes the problem; sites running Zope should probably apply it soon.

gnupg 1.0.5 released with multiple security fixes. gnupg 1.0.5 was released on April 29th. Multiple security patches have been released against gnupg 1.0.4; this new release includes all of those patches, including fixes for the gnupg web of trust vulnerability and false positives from detached signatures. Of course, in addition to security fixes, other feature enhancements and bug fixes are included. An upgrade to 1.0.5 is recommended.

• Immunix

Remote vulnerabilities in Bugzilla. Bugzilla 2.12 has been released and contains fixes for a couple of security problems that could allow remote users to execute commands on the Bugzilla server under a non-root account. Workarounds are documented, but an upgrade to the new version is recommended. For more details, check both 2671 and 2670.

KDEsu tmplink vulnerability. KDEsu creates a world-readable temporary file to exchange authentication information and then deletes the file soon after. This allows a race condition under which the account of the local X user can be compromised. Fixes for the problem are included in kdelibs-2.1.2. The KDE Project recommends an upgrade both to kdelibs-2.1.2 and to KDE 2.1.1. For more details, check BugTraq ID 2669.

• Red Hat

gftp format string vulnerability. gftp is a multi-threaded X-based ftp client. A format string vulnerability has been reported in gftp by Richard Johnson. The problem is fixed in gftp 2.0.8 and later. BugTraq ID 2657.

• Red Hat
• Linux-Mandrake
• Immunix, FormatGuard does not protect against this one.

MandrakeSoft's rpmdrake tmplink vulnerability. Linux-Mandrake has issued an advisory and an updated package for rpmdrake, fixing a tmplink vulnerability in that package.

web scripts. The following web scripts were reported to contain vulnerabilities:

• The Perl Web Server has been reported to contain to a directory transveral vulnerability. No patch or fix has yet been provided. Note that this is an experimental project, currently at release 0.3.

• PerlCal, a calendar and scheduler managed via CGI scripts, has been reported vulnerable to a directory transveral problem. No vendor response has been reported so far. Note that PerlCal is a commercial product. BugTraq ID 2663.

Commercial products. The following commercial products were reported to contain vulnerabilities:

• The SAP R/3 Web Application Server Demo for Linux has been reported to be vulnerable to a local root exploit via the program saposcol (SAP Operating System Collector) which is installed setuid root. Both workarounds and updated versions of the program have been made available. BugTraq ID 2662.

Updates

NEdit temporary file link vulnerability. Check the April 26th LWN Security Summary for the original report. BugTraq ID 2627.

This week's updates:

• Debian

• SuSE (April 26th)
• Linux-Mandrake (April 26th)

Multiple security fixes in OpenSSL-0.9.6a. OpenSSL-0.9.6a was announced last week and contains fixes for four security issues. An upgrade to the latest version is recommended.

This week's updates:

• Engarde

SAFT/sendfile broken privileges. Check the April 26th LWN Security Summary for the original report. The vulnerabilities can be exploited locally to gain root privileges. BugTraq ID 2631 and 2645.

This week, Florian Weimer pointed out that sendfile author Ulli Horlacher, released an updated version of sendfile in February which Florian indicated should correct the problems.

Previous updates:

• Debian (April 26th)
• Progeny (April 26th)

Multiple FTP daemon globbing vulnerabilities. Check the April 12th LWN Security Summary for the original report.

This week's updates:

• Progeny

• NetBSD (April 12th)
• FreeBSD (April 19th)
• OpenBSD (April 26th)

ntp remotely exploitable static buffer overflow. An exploit for a static buffer overflow in the Network Time Protocol (ntp) was published on April 4th. This exploit can allow a remote attacker to crash the ntp daemon and possibly execute arbitrary commands on the host. Patches and new packages to fix this problem came out quickly. It is recommended that you upgrade your ntp package immediately. If you cannot, disabling the service until you can is a good idea. For more details and links to related posts, check BugTraq ID 2540.

This week's updates:

• Engarde, updated advisory, includes i386 packages not included in the original advisory

Previous updates:

Caldera (April 12th) Conectiva (April 12th) Debian (April 12th) Debian, original patch to ntp introduced a potential denial-of-service problem, fixed in new updates to ntp. (April 12th) Engarde (April 12th) Immunix (April 12th) Linux-Mandrake (April 12th) NetBSD (April 12th)

Progeny (April 12th) Red Hat (April 12th) Slackware (April 12th) SuSE (April 12th) Trustix (April 12th) KRUD (April 19th) FreeBSD (April 19th) Progeny (April 19th)

Zope security update. Digital Creations released a security update to Zope (all versions up to 2.3b1) fixing a security vulnerability in how ZClasses are handled the week of March 1st. An upgrade is recommended.

This week's updates:

• Debian, previous update to Zope was seriously broken

• Red Hat (March 1st)
• Linux-Mandrake (March 1st)
• Conectiva (March 8th)
• Debian (March 15th)

Resources

New Turbolinux Public Key. Turbolinux has updated their public key.

Security Breach Traced to Hole in Head of Admin (BBspot, humor). From BBspot to lighten your mood for the day, comes an article about a Security Breach in Linux and its source. "Work at Selby Communications ground to halt as their network server was wiped clean yesterday by a malicious virus. Security experts called in to investigate the incident discovered the virus exploited a hole in the head of Systems Administrator Matt Simmons".

vsftpd-0.9.0. Chris Evans announced the release of vsftpd-0.9.0 this week. vsftpd is a small, fast ftp server written from the ground up to be free of security holes and/or to mitigate the impact of potential security problems.

lcrzoex and lcrzo 3.10. New versions of the network test tools lcrzoex and lcrzo were released this week.

Events

Black Hat Briefings USA '01. A full announcement for the upcoming Black Hat Briefings USA, to be held July 11th-12th in Las Vegas, Nevada, USA, was released this week. "This year's topics include: Reverse Engineering, the Honey Net Project, the CVE, 802.11b WEP security, ICMP scanning, SQL security configuration, GSM and WAP security, and more".

Early Bird registration for NetSec. Early bird registration for NetSec2001 Network Security Conference ends May 4th. NetSec2001 will be held June 18th through the 20th in New Orleans, Louisiana, USA.

Upcoming Security Events.

Date	Event	Location
May 13 - 16, 2001	2001 IEEE Symposium on Security	Oakland, CA, USA
May 13 - 16, 2001	CHES 2001	Paris, France
May 29, 2001	Security of Mobile Multiagent Systems(SEMAS-2001)	Montreal, Canada
May 31 - June 1, 2001	The first European Electronic Signatures Summit	London, England, UK
June 1 - 3, 2001	Summercon 2001	Amsterdam, Netherlands
June 4 - 8, 2001	TISC 2001	Los Angeles, CA, USA
June 5 - 6, 2001	2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop	United States Military Academy, Westpoint, New York, USA
June 11 - 13, 2001	7th Annual Information Security Conference: Securing the Infocosm: Security, Privacy and Risk	Orlando, FL, USA.
June 17 - 22, 2001	13th Annual Computer Security Incident Handling Conference (FIRST 2001)	Toulouse, France
June 18 - 20, 2001	NetSec Network Security Conference(NetSec '01)	New Orleans, Louisiana, USA.
June 19 - 20, 2001	The Biometrics Symposium	Chicago, Illinois, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel