See also: last week's Security page.

Security

News and Editorials

Good Worm, Bad Worm. The Cheese Worm is the latest Linux-based worm to make noise on the Internet. This is a worm with a difference, though. It looks for symptoms of systems that have been previously compromised, enters the system, closes the hole and then uses the host to search for other compromised hosts.

Many security experts were quick to point out that this does not make the worm a "good idea". After all, the worm is still illegally entering, altering and using resources on systems that don't belong to the worm writer. Besides, any "expert" that advocated the use of such worms would soon find themselves in hot water.

Meanwhile, though, the computer security community is still struggling with the issue of how to deal with the mass of unpatched, vulnerable computer systems on the Internet. In general, security issues are seen as the business of the owner of the computer; if they care about security, they'll be pro-active about security, if they don't care, they'll get cracked, end of story.

However, Internet worms and distributed denial-of-service attacks both clearly demonstrate that one person's cracked system is a piece of a larger problem that affects all of us. That system could be used to launch an attack on our own systems. Alternately, the worm that cracks that system can generate tremendous traffic, impairing the performance of the network for many or all of us.

Although the actions of the new Cheese Worm are equally illegal, it is interesting to note that this is the first effective measure being taken to counteract this problem. Essentially the hackers involved are acting as vigilantes, imposing their own "justice" on systems that pose a threat to the community as a whole. It is fortunate that this justice is in the form of repairs to the system, rather than lynchings.

Vigilantes are a common development in new communities with rapid growth, where the rule of law and official law enforcement has not developed quickly enough to match the growing need. They, in turn, quickly become their own problem because they are generally anonymous and outside the law themselves, making it difficult to impossible to make them accountable for their actions (much like crackers).

Nonetheless, their existence is a symptom of a void that needs to be filled. Given this, the technique they have used, that of a pro-active worm that repairs insecure systems, may end up under heavy scrutiny, in order to brain-storm a way in which it could be ethically and morally turned to good use.

CRYPTO-GRAM Newsletter. Bruce Schneier's CRYPTO-GRAM Newsletter for May is out. It examines the use of active defenses and counterattacks for computer security, security standards, safe personal computing; there is also a strong essay on the futility of digital copy prevention. "Digital files cannot be made uncopyable, any more than water can be made not wet. The entertainment industry's two-pronged offensive will have far-reaching effects -- its enlistment of the legal system erodes fair use and necessitates increased surveillance, and its attempt to turn computers into an Internet Entertainment Platform destroys the very thing that makes computers so useful -- but will fail in its intent"

Cylant 'victim' hack update. LinuxSecurity.com did an interview recently with Cylant (see May 3rd for our coverage), which contains an update on their "Hack This Box and Own It" contest. The box was successfully hacked. "Victim was hacked by some of my old co-workers at EarthLink/Mindspring. They succeeded in part because of a bug we found today in CylantSecure. We have fixed the bug and issued round two of the challenge".

Openwall GNU/Linux. Openwall GNU/Linux, also known as "Owl", has announced their first pre-release. Owl is a security-enhanced Linux distribution, with its primary focus being pro-active source code review, plus some security-hardening kernel patches (presumably including the Openwall patch, for example).

The system is designed to be rebuilt easily entirely from source code and supports both the Intel and Sparc platforms. It uses the RPM package manager and tries to be compatible with multiple other Linux distributions, particularly Red Hat.

Security Reports

Common Unix Printing System 1.1.7 (CUPS). The latest version of the Common Unix Printing Systems (CUPS), version 1.1.7, includes some new directives to prevent denial-of-service attacks and IP spoofing. As a result, an upgrade to the latest version would be recommended for security-conscious sites.

• Linux-Mandrake

man -S heap overflow. A heap overflow is reportedly triggerable via the man command on some Linux distributions. The problem was originally reported on Red Hat Linux 7.0; Caldera has unofficially reported that it is not vulnerable. Red Hat Linux 7.0 and 6.2 and Debian are confirmed to be vulnerable; no official advisories have been sent out so far.

The exploitability of the vulnerability has been questioned and is definitely dependent on whether or not the man command is installed setgid group man.

sendfile vulnerabilities. Exploits for two sendfile vulnerabilities were published this week. One exploits the SAFT/sendfile broken privileges vulnerability originally reported the week of April 26th and the other addresses a "serialization error combined with a lack of error checking". Both problems can be fixed by downloading the current source from the author's website and compiling it manually or, for Debian users, by applying the patch for sendfile_2.1-25 in debian-unstable.

web scripts. The following web scripts were reported to contain vulnerabilities:

• PHPProjekt 2.1 and earlier have been reported to contain a directory transversal vulnerability. Patches are available. Version 2.1a is not affected.

• PHPSlash, a PHP-based Slash clone, has been reported to be vulnerable to a directory transversal vulnerability. A patch to fix the problem is provided.

• DCForum 2000 1.0 and DCForum Version 6.0 have been reported to be vulnerable to a password file manipulation vulnerability. The vendor has issued an advisory and patches to fix the problem.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

• Hughes Technologies DSL_Vdns 1.0 has been reported vulnerable to a denial-of-service attack. Version 2.0 is not vulnerable, so an upgrade is recommended.

• Allied Telesyn combined DSL/Cable-Router, when configured with the Virtual-Server-Feature enabled, may leave open access to its mapped services. The vendor has been informed.

• iPlanet's Netscape Enterprise Web Publisher has been reported to be vulnerable to a buffer overflow. iPlanet has made available a patch to fix the problem.

Updates

Ramen and Adore. The Ramen and Adore worms both exploit multiple vulnerabilities. They are most widely known for attacking Red Hat machines, but they can also possibly affect other distributions that have a Red Hat base. TurboLinux is one such distribution. They have released two advisories to provide information on securing Turbolinux systems against these worms.

Note that any leading Linux distribution to which all relevant patches have been applied should not be vulnerable to either of these worms.

• Turbolinux advisory for Ramen
• Turbolinux advisory for Adore

Minicom XModem Format String Vulnerabilities. Check the May 10th LWN Security Summary for the original report or BugTraq ID 2681.

This week's updates:

• Linux-Mandrake
• Red Hat

• Caldera (May 10th)

vixie-cron crontab permissions lowering failure. Check the May 10th LWN Security Summary for the original report. Paul Vixie Vixie Cron 3.0pl1 fixes this latest problem.

This week's updates:

• Linux-Mandrake
• SuSE
• SuSE, updated URL for SuSE-7.1 Intel i386 package

• Debian (May 10th)
• Progeny (May 10th)

Zope Zclass security update. Check the May 3rd LWN Security Summary for the original report. Sites running Zope should upgrade as soon as possible.

This week's updates:

• Linux-Mandrake
• Red Hat
• Progeny

• Debian (May 10th)

Samba local disk corruption vulnerability. Check the April 19th LWN Security Summary for the original report. This problem has been fixed in Samba 2.0.8 and an upgrade is recommended. Note that all versions of Samba from (and including) 1.9.17alpha4 are vulnerable (except 2.0.8, of course). BugTraq ID 2617.

Note that last week, Andrew Tridgell has released Samba 2.0.9, stating that the fix in 2.0.8 did not really resolve the problem. So expect another wave of distribution updates dated May 10th or later for this problem as the fix from 2.0.9 gets distributed. Samba 2.2.0 users are not affected by this problem.

This week's updates:

• Progeny
• Red Hat

• Trustix (April 19th)
• Debian (April 19th)
• Immunix (April 19th)
• Caldera (April 19th)
• Progeny (April 26th)
• Conectiva (April 26th)
• Debian, updated advisory with corrected Sparc packages (April 26th)
• Linux-Mandrake (April 26th)
• FreeBSD (April 26th)
• Slackware (from the changelogs)
• Immunix (May 10th)
• Debian (May 10th)
• Conectiva (May 10th)

Linux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19th LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3. Note that the patch may be subject to future revision; a URL is provided where the latest version can be found.

This week's updates:

• Progeny

pico symbolic link vulnerability. Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.

This week's update:

• Linux-Mandrake, minor package corrections

• Red Hat (April 19th)
• Immunix (April 19th)
• Linux-Mandrake (May 10th)

Resources

Events

Upcoming Security Events.

Date	Event	Location
May 21 - 22, 2001	Computer Privacy, Policy, and Security Institute conference	(Rocky Mountain College)Billings, Montana
May 29, 2001	Security of Mobile Multiagent Systems (SEMAS - 2001)	Montreal, Canada
May 31 - June 1, 2001	The first European Electronic Signatures Summit	London, England, UK
June 1 - 3, 2001	Summercon 2001	Amsterdam, Netherlands
June 4 - 8, 2001	TISC 2001	Los Angeles, CA, USA
June 5 - 6, 2001	2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop	United States Military Academy, Westpoint, New York, USA
June 11 - 13, 2001	7th Annual Information Security Conference: Securing the Infocosm: Security, Privacy and Risk	Orlando, FL, USA.
June 17 - 22, 2001	13th Annual Computer Security Incident Handling Conference (FIRST 2001)	Toulouse, France
June 18 - 20, 2001	NetSec Network Security Conference(NetSec '01)	New Orleans, Louisiana, USA.
June 19 - 20, 2001	The Biometrics Symposium	Chicago, Illinois, USA.
July 11 - 12, 2001	Black Hat Briefings USA '01	Las Vegas, Nevada, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel