[LWN Logo]

 Main page
 On the Desktop
 Linux in the news
 Linux History
All in one big page

See also: last week's Security page.


News and Editorials

NT-based Code Red Worm. Last week, an NT-based worm by the name of Code Red showed up on the Internet. We neglected to cover it at the time, because it does not exploit Linux computers. Of course, given the state of today's Internet and the normal model of a worm, that was an error. No matter what operating system your computers are running, they were likely impacted by this worm at some point.

On Thursday, July 19th, approximately one day after the worm was first sighted, reports started coming in of crashes on Cisco equipment, 3Com LANmodems, and HP JetDirect printers. This is because the worm did not try to determine the operating system of the machine it attacked first. Instead it immediately attempted to initiate the buffer overflow on port 80. Since many devices run services on port 80 to allow connections by administrators, they were impacted by the worm even though they were not vulnerable to the worm itself.

Note that the worm actually did skip multicast addresses, so it did not cause the same damage to multicast networks that have been seen with some previous (Linux-based) worms.

The purpose of the worm was to infect as many hosts as possible within a limited time span, then use those hosts to stage a denial-of-service attack on www.whitehouse.gov.

Infected hosts numbered, by several different counts, in the hundreds of thousands. It was called by some "the most successful Internet worm so far", though it failed to take down www.whitehouse.gov. Its lack of success, in the end, was in part due to the security community's successful detection and analysis of the worm, which allowed the administrators of the www.whitehouse.gov site to know that the attack was coming and to be able to find a flaw in the attack pattern. In this case, the attack was launched against the IP address of www.whitehouse.gov rather than against the domain name. By moving www.whitehouse.gov to an alternate IP address, the site was kept on-line without difficulty.

As with the Linux worms, Code Red used well-known vulnerabilities, for which patches have been available for some time. There were some kinks in the system, of course. Apparently the description of some of the patches did not make it clear that they also resolved security issues. As a result, even some security-conscious sites (including some Microsoft sites) had not applied all the required patches.

In the long-term, better solutions are required than to trust millions of individuals to track and apply myriad patches. As long as we are doing so, we can always count on hundreds of thousands of machines to be vulnerable to this type of attack and, as a result, for all of us to be impacted.

In the short-term, do what you can to make the Internet a better place: apply your own patches and help those less knowledgeable than you to improve their own security as well.

You may also find Bruce Schneier's essay on Code Red of interest (from the Red Rock Eater News Service). It also contains links to other, related reports.

Adobe eBook security model. So, what is the security model for Adobe's Ebook computer which was compromised by Russian software company ElcomSoft, thereby landing Russian PhD computer science student Dmitry Sklyarov in jail? (Check last week's Front Page and this week's Front Page for the story).

If you're interested, Dmitry's presentation, entitled eBooks security - theory and practice is available on-line. It would be better, of course, with the accompanying talk, but it does a good job of showing how thin the Adobe PDF security is, pretty appalling given marketing quotes like these:

"eBook Pro", the only software in the universe that makes your information virtually 100% burglarproof! It comes with a lifetime, money-back guarantee

"At Last, You Can Sell Information Online (And Make Thousands Of Sales Per Day) - Without The Danger Of Having Your Information Stolen And Resold By Others."

with the actual features of the eBook Pro compiler:

All HTML pages and supplementary files are compressed with deflate algorithm from ZLIB

Compressed data are encrypted by XOR-ing each byte with every byte of the string "encrypted", which is the same as XOR with constant byte.

In addition to Dmitry's presentation, Bryan Guignard has written a whitepaper (from the Gallery of Adobe Remedies) that discusses Adobe's security as well. "Adobe make it clear that it 'expects' software developers to 'respect the intent' of its PDF security system. So as it is clearly seen from Adobe's own specification, PDF security is not based on sound technology, rather, it is based entirely on 'respect'".

He also mentions that ghostscript can similarly be used to bypass Adobe PDF security. Don't tell the Justice Department, or we'll end up losing access to that valuable tool as well!

The Black Hat Conference in Vegas (Linux Journal). The Black Hat Conference in Vegas completed last week and Linux Journal fills us in on the details. Bruce Schneier reported on his Senate testimony, attrition.org gave people an overview of what they do, who listens to them and who doesn't, and security experts in general ripped the media for poor reporting of security issues.

Security Reports

multiple procmail race conditions. Procmail uses several different signal handlers. Race conditions exist in some of these handlers which can be exploited locally to gain root privileges. Versions of procmail prior to 3.2.1 are vulnerable; an upgrade to procmail 3.2.1 will resolve the problem.

Multiple vendor telnetd vulnerability. Multiple vendors, including BSDi, FreeBSD, NetBSD, OpenBSD (prior to 2.9), and Linux distributions using Netkit telnetd (derived from BSD telnet) prior to version 0.14, are using a telnet daemon that contains a buffer overflow. This is reportedly being actively exploited on BSD systems.

  • Caldera, patch released for OpenLinux 2.3 and eServer 2.3 back in March. Patched systems and later versions are not affected.

Multiple Horde IMP vulnerabilities. The Horde team announced the availability of IMP 2.2.6, which fixes several security issues. It is strongly recommend that all sites running IMP 2.2.x upgrade to this version. Check also BugTraq IDs 3066, 3079, 3082, and 3083.

Squid httpd acceleration ACL vulnerability. A bug in squid's httpd_accel mode was reported by Paul Nasrat. Because squid does not properly use ACLs, squid can be used by an unprivileged account as a portscanner (similar to ftp bounce scanning). Squid 2.3STABLE4 is affected; earlier versions are not. Red Hat 7.0 is reported to be vulnerable, while earlier and later versions are not. Debian is reported not vulnerable. A patch to fix the problem is available.

Tcl/tk and expect unsafe library searching. Tcl/tk and expect, as installed on some Linux systems, will search the current working directory for certain libraries. As a result, a malicious library could be created that would be unwittingly invoked.

xman MANPATH environment variable overflow. xman is a component of XFree86, used for viewing man pages. A buffer overflow in xman can allow a local user to execute arbitrary code. If xman is installed with setuid or setgid privileges (it is setgid on some systems), then elevated privileges can be gained, possibly including root. Check BugTraq ID 3030 for more details. No patch or update has been provided so far.

FreeBSD exec() inherited signal handler vulnerability. FreeBSD issued an advisory on July 10th warning of a vulnerability in the FreeBSD signal handler in which an exec'd setuid program can inherit a user-supplied signal handlers set. This can be used locally to gain elevated (possibly root) privileges. An upgrade to 4.3-STABLE dated after July 9th, 2001, will resolve the problem. Check BugTraq ID 3007 for additional details.

NetBSD sendmsg kernel vulnerability. NetBSD has issued an advisory warning of a vulnerability in the 1.3 through 1.5 releases of the NetBSD kernel (including -current). "Due to insufficient length checking in the kernel, sendmsg(2) can be used by a local user to cause a kernel trap, or an 'out of space in kmem_map' panic". This can allow a local denial-of-service attack. An upgrade or patch to the kernel and a kernel rebuild and install is required to resolve the problem.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:


Please note that the dates listed after the updates below are the date of the LWN issue in which they were first listed, not the date of their actual release.

OpenSSL Pseudo-random number generator weakness. Check the July 12th LWN Security Summary for the original report or BugTraq ID 3004.

This week's updates:

Previous updates:

Tripwire temporary files. Check the July 12th LWN Security Summary for the initial report. This vulnerability can allow a local root compromise.

This week's updates:

Buffer overflow in xloadimage. Check the July 12th LWN Security Summary for the original report.

This week's updates:

Previous updates:

OpenSSH tmplink/cookie vulnerability. Check the June 7th LWN Security Summary for the initial report. This is also covered in BugTraq ID 2825.

This week's updates:

Previous updates:

BSD ptrace race condition vulnerability. Check the June 21st LWN Security Summary for the original report or BugTraq ID 2873.

This week's updates:

Previous updates:
  • OpenBSD, patches released (June 21st)
  • NetBSD, CVS tree patched (June 21st)

multiple imapd buffer overflows. Check the March 15th LWN Security Summary for the original report. This is also covered in BugTraq ID 2856.

This week's updates:

Previous updates:


Know Your Enemy: Statistics. The HoneyPot has released a new whitepaper entitled "Know Your Enemy: Statistics". Note that statistics aren't the enemy; they have collected statistics on the aggressiveness of current attacks and a proof of concept for predicting future attacks. "In an effort to predict trends, two members of the Honeynet Project took two different approaches. However, their findings were the similar, almost all attacks could be detected two to three days ahead of time".

Xprobe 0.0.1p1. Xprobe, written by Fyodor Yarochkin and Ofir Arkin, is a newly available fingerprinting tool based on Ofir's research in ICMP Protocol Usage in Scanning.

Snort signature for BSD/TESO telnetd exploit. Marty Roesch and Brian Caswell have made Snort signatures available for the Multiple Vendor Telnetd Buffer Overflow Vulnerability.


Upcoming Security Events.
Date Event Location
August 6 - 10, 2001CERT Conference 2001Omaha, NE, USA.
August 7, 2001CIBC World Markets First Annual Security & Privacy ConferenceNew York, NY, USA.
August 10 - 12, 2001Hackers at Large 2001(HAL2001)Enschede, Netherlands
August 13 - 17, 200110th USENIX Security Symposium 2001 ConferenceWashington, D.C.
September 11 - 13, 2001New Security Paradigms Workshop 2001(NSPW)Cloudcroft, New Mexico, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

July 26, 2001

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds