Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

A couple of responses to Scott Culp. As might be expected, the "information anarchy" essay by Microsoft's Scott Culp drew some responses. We'll pass on a couple of them. Here's Eric Raymond's response, written in Eric's typical style.

Cryptographers and security experts have known for years that peer review of open source code is the only reliable way to verify the effectiveness of encryption systems and other security software. So Microsoft's closed-source mode of development guarantees that customers will continue getting cracked and Microsoft will continue pointing the finger of blame everywhere except where it actually belongs.

Elias Levy, meanwhile, responded in this SecurityFocus article.

A successful attacker requires three things: the opportunity to launch an attack, the capacity to successfully execute the attack, and the motivation to attack. An opportunity to launch an attack requires a vulnerable system and an access path to the system. The capability to successfully execute the attack requires knowledge of the vulnerability and the tools to exploit it. Proponents of the information dictatorship argument are targeting the second requirement of a successful attacker: his capability to launch an attack. This approach to the problem of computer security is flawed, and can only fail.

Overall, there has been a distinct lack of people rushing out to back up Microsoft's view on security disclosure. Even people who are uncomfortable with those who circulate exploit tools have remained quiet.

Make sure your ssh is current. Here's a NewsBytes article on a new ssh exploit going around.

In its February advisory, Bindview stated that it was aware of no working exploits for the overflow flaw in the SSH daemon. But last week, rumors spread in the hacker underground that scripts were available to gain "root" or system-level access to vulnerable systems. And in recent days, system operators have posted reports on security mailing lists saying they are receiving remote scans from attackers attempting to locate vulnerable systems running SSH.

There has been little in the way of confirmation of this exploit from any other source. Nonetheless, now would be a good time to check ssh/OpenSSH installations and make sure they are current. A remote root exploit based on ssh is the sort of thing that extreme nastiness (i.e. horrific Linux-based worms) is made.

Security Reports

Two kernel security bugs explained. Here is Rafal Wojtczuk's explanation (from Bugtraq) of the two security bugs found in recent Linux kernels. They are:

Through the use of properly constructed chains of symbolic links, a local attacker can lock up the kernel for long periods of time, thus creating a denial of service attack.
With the proper use of a setuid binary, the ptrace() system call can be fooled into tracing another setuid program, and thus into executing arbitrary code as root.

The second attack can be defeated on many Linux systems by getting rid of the newgrp binary, which is normally of little use anyway. The real fix, though, is to run the 2.4.12 (or later) kernel.

Note that there are, apparently, some other kernel security issues out there that have not, yet, been explained publicly.

Updates seen so far:

Two bugs with apache. Apache 1.3.22 fixes a couple of minor issues with the apache web server. The "split-logfile" program can be used to overwrite any file that is writable by the web server account, and which ends in ".log". That script tends not to be shipped with most Linux distributions. The other vulnerability could lead to the delivery of undesired directory listings in some situations.

Updates seen so far:

Debian security update to nvi. The Debian Project has released a security update to nvi fixing "a very stupid format string vulnerability" in that package. "Even if we don't believe that this could lead into somebody gaining access of another users account if he hasn't lost his brain, we recommend that you upgrade your nvi packages."

gftp can expose passwords. The Debian Project has put out an update to gftp fixing a problem in that package: it displays login passwords in plain text. In the interest of thwarting shoulder surfers, applying the update is probably a good idea.

A pile of Debian security alerts. Here's another set of alerts which have come out of Debian in the last week:

w3m, buffer overflow problem, with a possible remote exploit. (Update: it seems that there is no PowerPC version of this patch available; PowerPC users are advised to avoid w3m.
xvt, locally-exploitable buffer overflow.
procmail, signal handling problem with possible local exploit.

The project has also appointed two security secretaries, Matt Zimmerman and Noah Meyerhans, to help coordinate security response.

Denial of service in 6tunnel. The 6tunnel utility, used for IPv6 tunneling, has a denial of service vulnerability that allows an attacker to cause the 6tunnel server to crash. Affected users should upgrade to version 0.09 or later.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

A set of three vulnerabilities has been reported with Oracle, including one which can be exploited to overwrite files.

Updates

Configuration file vulnerability in ht://Dig. The ht://Dig search engine contains a vulnerability which allows a remote user to specify an alternate configuration file. If that user is able to place a suitable file in a location where ht://Dig can read it, the system may be compromised. See the original report from the ht://Dig project for details. This vulnerability first appeared in the October 11 LWN security page.

This week's updates:

Red Hat (October 30, 2001)

Previous updates:

OpenSSH restricted host vulnerability. Versions of OpenSSH prior to 2.9.9 have a vulnerability that can allow logins from hosts which have been explicitly denied access. The fix is to upgrade to OpenSSH 2.9.9. This problem first appeared in the October 4 LWN security page.

This week's updates:

Previous updates:

SuSE (December 6, 2001)
SuSE (December 3, 2001)
Conectiva (October 24, 2001)
Immunix (October 17, 2001)
Mandrake (October 16, 2001)
Red Hat (October 19, 2001) (Adds support for version 7.2).
Red Hat (October 9, 2001)
Trustix (October 17, 2001)

SQL injection vulnerabilities in Apache authentication modules. Several Apache authentication modules have vulnerabilities that could allow an attacker to feed arbitrary SQL code to the underlying database, resulting in a compromise of database integrity and unauthorized access to the server. See the September 6 security page for more information.

New updates:

Previous updates:

Red Hat (October 23, 2001) (mod_auth_pgsql)
Conectiva (September 28, 2001) (mod_auth_pgsql)
Conectiva (September 6, 2001) (mod_auth_mysql)

Squid httpd acceleration ACL vulnerability. This vulnerability could result in unauthorized access to the squid server. See the July 26 Security page for details.

This week's updates:

SuSE (October 30, 2001)

Previous updates:

Red Hat (October 16, 2001) (adds an updated package for 7.2).
Yellow Dog (July 25, 2001)
Caldera (August 9)
Linux-Mandrake (August 2)
Immunix (July 26)
Trustix (July 26)
Red Hat (July 26)

Improper credentials from login. A problem with the login program (in the util-linux package) can, in some situations, cause a user to be given the credentials of another user at login. Use of the pam_limits module, in particular, can bring about this problem. In general, distributions using the default PAM configuration are not vulnerable; an upgrade is probably a good idea anyway. This problem was first reported in October 18 LWN security page.

This week's updates:

Mandrake (November 1, 2001)

Previous updates:

Red Hat (October 16, 2001) (Adds an update for version 7.2).
SuSE (October 23, 2001) (Doesn't use util-linux login, but vulnerable anyway).
Red Hat (October 16, 2001)
Trustix (October 17, 2001)

Security audit of xinetd and resulting fixes. Solar Designer has performed an extensive audit of xinetd, looking for certain types of security vulnerabilities. So many problems were found in the code that the resulting patch weighed in at over 100KB. This patch was only fully merged as of xinetd 2.3.3. See the September 6, 2001 LWN security page for the initial report.

This week's updates:

Turbolinux (January 24, 2002)

Previous updates:

Resources

LinuxSecurity.com has put out its Linux Advisory Watch and Linux Security Week postings, as usual.

Events

Upcoming Security Events.

Date Event Location

November 5 - 8, 2001 8th ACM Conference on Computer and Communication Security(CCS-8) Philadelphia, PA, USA

November 13 - 15, 2001 International Conference on Information and Communications Security(ICICS 2001) Xian, China

November 19 - 22, 2001 Black Hat Briefings Amsterdam

November 21 - 23, 2001 International Information Warfare Symposium AAL, Lucerne, Swizerland.

November 24 - 30, 2001 Computer Security Mexico Mexico City

November 29 - 30, 2001 International Cryptography Institute Washington, DC

December 2 - 7, 2001 Lisa 2001 15th Systems Administration Conference San Diego, CA.

December 5 - 6, 2001 InfoSecurity Conference & Exhibition Jacob K. Javits Center, New York, NY.

December 10 - 14, 2001 Annual Computer Security Applications Conference New Orleans, LA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

October 25, 2001

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel