Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsThe responsibility of the individual. While not laying blame on individuals for security problems, two articles this week took a look at educating non-experts about what they can do to help. The Defense Department talked about simple things to do to make life harder for the bad guys. "Use different passwords at Web sites and on every machine you use. Reject all site and system offers to "remember" you and your password. Bad guys know many people use just one password, so attacking an easily hacked site gives them "skeleton keys" to tough ones". Meanwhile, a survey of British employees took a look at bad password practices. "The survey, conducted by UK domain registry CentralNic, revealed that nearly half of the workers polled use their own name or a nickname and a third used a favorite sports team or celebrity for their passwords". This is one lesson we've seen taught over and over again for the past twenty years. Yet there are still people who haven't heard it yet. Multi-nation cybercrime pact gets OK (ZDNet). ZDNet's Robert Lemos reported on ratification of the Convention on Cyber-Crime by a committee on crimes for the Council of Europe. "Last month, the European Committee on Crime Problems bowed to pressure from international rights groups and included some provisions in the treaty to limit surveillance to criminal investigations and added some safeguards to civil liberties. But it's still not enough, [James X.] Dempsey said. 'Unfortunately, it remains a fundamentally imbalanced document,' he said". Ethics challenge' softens hacker con (SecurityFocus). SecurityFocus reports on a planned CyberEthical Surfivor, a new challenge planned for this year's Def Con Nine conference, being held July 13th through the 15th in Las Vegas, Nevada, USA. "CyberEthical Surfivor will pit two teams of nine hackers head-to-head in a public struggle with weighty moral decisions. Example: You are seventeen-years-old, about to graduate to an Ivy League university when a vindictive teacher monkey-wrenches your academic dreams by wrongly flunking you on a final exam. The Principal won't listen to you. Should you crack the school's computer and give yourself the grade you deserve?" Security ReportsNasty Samba security hole. The Samba team sent out an urgent security advisory regarding a remotely-exploitable hole in all versions of the code. The security hole involves the use of the '%m' macro in /etc/smb.conf. Replacing '%m' with '%I' is one possible workaround. Note that not all distributions are vulnerable by default. Nonetheless, the Samba team has made patches available and an upgrade is strongly recommended, since this can potentially be exploited to overwrite a Samba log file to gain root access.The vulnerability was originally found and reported by Michal Zalewski.
OpenSSH PAM session evasion vulnerability. Christian Kraemer reported that OpenSSH fails to call pam_open_session if no pty is used. As a result, on a system where PAM is used to enforce additional login restrictions, OpenSSH can be used to evade such restrictions. OpenSSH 2.9p1 and earlier are reported vulnerable. Check BugTraq ID 2917 for more details.Portable OpenSSH team member Damien Miller acknowledged the problem, which was introduced because some PAM modules on some platforms "fail utterly or perform in unpredictable ways" when called without a controlling terminal. Meanwhile, the call to pam_open_session has been reintroduced in CVS and will be included in the next stable release. SGI Performance Co-Pilot (pmpost) symbolic link vulnerability. SGI Performance Co-Pilot is a product originally developed by SGI for use on IRIX systems. However, SGI has Open Sourced the product under the GPL and it is available for Linux systems.A symbolic link vulnerability has been reported in pmpost, one of the utilities shipped with Performance Co-Pilot. An exploit has been published. The problem can be resolved either by removing the setuid bit from pmpost or by upgrading to Performance Co-Pilot version 2.2.1-3. ePerl preprocessor input validation vulnerability. ePerl, also known as Embedded Perl, expands Perl 5 programming statements within text files. It can be used as a filter to generate files or as a webserver scripting language. David Madison reported that all C-based versions of ePerl, including the current versions 2.2.14, appeared to be vulnerable to an input verification vulnerability. When including untrusted files, ePerl fails to prevent such files from, in turn, including additional files without filtering perl commands from such files. Workarounds for the problem exist. Alternately, David suggested using the perl-based ePerl instead of the C-based version. w3m buffer overflow vulnerability. w3m is a text-based browser similar to Lynx. A buffer overflow in w3m can be triggered when a base-64 encoded string longer than 32 characters is found in a MIME header field. Source code patches to fix the problem were posted to the w3m developers' list.cfingerd buffer overflow and format string vulnerabilities. Both a buffer overflow and a format string vulnerability were reported this week in cfingerd by Steven Van Acker, who also provided unofficial patches for resolving the problems. These vulnerabilities can be exploited locally to gain elevated privileges, possibly including root access. Check BugTraq ID 2914 for more details.scotty (ntping) buffer overflow. Scotty is a Tcl-based network management package. A buffer overflow has been reported in ntping, a component of scotty. This can be exploited locally to execute arbitrary code. Scotty 2.1.10 and earlier are vulnerable; scotty 2.1.11 has been released with a fix for the problem.eXtremail remote format string vulnerability. eXtremail, a freeware SMTP/POP3 mailserver (free to use, no specific license, no source found) has been reported to contain a remotely-exploitable format string vulnerability. eXtremail runs currently on Linux and AIX. It runs as root, so this vulnerability can be used by a remote attacker to gain root access on the local server running eXtremail. An exploit has been published. eXtremail 1.1.9 and earlier are affected; a binary version of eXtremail 1.1.10 has been made available to resolve the problem on Linux; no AIX version as of yet. Disabling the service is recommended until an upgrade is in place.LPRng + tetex tmplink vulnerability. Reported in Bug ID #43342 in Red Hat's Bugzilla, when both LPRng and tetex are installed, a tmplink vulnerability is created in Red Hat 7.0 and 7.1 that can result in a local attacker gaining elevated privileges. A patch is currently in Red Hat's Rawhide distribution; no advisory has been released so far. Check this posting for additional details. It is not known whether or not this might impact other distributions. GNATS-Web input verification vulnerability. GNATS-Web is a PHP-based interface for the GNATS open-source bug-tracking and problem-accounting system. Joost Pol has reported a vulnerability in gnatsweb where the name of a help file could be provided via a URL, but the input was not properly checked before being used. The problem was acknowledged by the GNATS-Web team and patches provided.web scripts. The following web scripts were reported to contain vulnerabilities:Proprietary products. The following proprietary products were reported to contain vulnerabilities:
Updatesfetchmail buffer overflow. Check the June 21st LWN Security Summary for the original report. This is remotely exploitable and could lead to root access if fetchmail is run by root. An upgrade to fetchmail 5.8.6 will resolve the problem.This week's updates: Previous updates:rxvt buffer overflow. Check the June 21st LWN Security Summary for the original report from Samuel "Zorgon" Dralet. A patch is available to fix the problem.This week's updates: Previous updates:
XFree86 X font server (xfs) denial-of-service vulnerability. Check the June 14th LWN Security Summary for the original report. This is only applicable to font servers that are listening to TCP/IP, which is likely only the case for a machine that is serving X terminals.This week's updates:
exim format string vulnerability. Check the June 14th LWN Security Summary for the original report.This week's updates: Previous updates:
ispell symbolic link vulnerabilities. Check the June 7th LWN Security Summary for the original report.This week's updates: Previous updates:
gnupg format string vulnerability. Check the May 31st LWN Security Summary for the initial report. gnupg 1.0.5 and earlier are vulnerable; gnupg 1.0.6 contains a fix for this problem and an upgrade is recommended. Werner Koch also sent out a note warning of minor build problems with gnupg 1.0.6 when compiled without gcc.This week's updates:
KDEsu tmplink vulnerability. Check the May 3rd LWN Security summary for details. Fixes for the problem are included in kdelibs-2.1.2. The KDE Project recommends an upgrade both to kdelibs-2.1.2 and to KDE 2.1.1.This week's updates:
Linux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19th LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3. Note that the patch may be subject to future revision; a URL is provided where the latest version can be found.This week's updates:
Samba local disk corruption vulnerability. Check the April 19th LWN Security Summary for the original report. This problem has been fixed in Samba 2.0.9 and an upgrade is recommended. Note that all versions of Samba from (and including) 1.9.17alpha4 are vulnerable (except 2.0.9, of course). BugTraq ID 2617.Note that 2.0.8 was originally believed to fix this problem, but did not. As a result, some of the original distribution updates had to be re-released with 2.0.9. Samba 2.2.0 users are not affected by this problem. This week's updates:
Apache directory listing error. Check the March 8th LWN Security Summary for the initial report. Apache 1.3.18 and earlier are vulnerable; Apache 1.3.19 contains a fix for the problem. This week's updates: Previous reports:
ncurses buffer overflow. Check the October 12th, 2000 LWN Security Summary for the initial report of this problem. Note that the buffer overflow impacts applications linked against ncurses. Such applications must be relinked against a fixed ncurses or curses library.This week's updates:
esound tmpfile link vulnerability. Check the September 7th LWN Security Summary for the original report of this problem from FreeBSD.This week's updates: Previous updates:
Resources
. EventsFinal Reminder: Black Hat Briefings. A final reminder for the Black Hat Briefings 2001 USA, scheduled for July 9th through the 12th in Las Vegas, Nevada, USA, was sent out this week. "This year's topics include: Reverse Engineering, the Honey Net Project, the CVE, 802.11b WEP security, ICMP scanning, SQL security configuration, GSM and WAP security, and more". Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
June 28, 2001
LWN Resources | |||||||||||||||||||||