![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/security.png)
|
|
|
 Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsMultiple security problems with SNMP. Here's a CERT advisory warning of many problems with Simple Network Management Protocol (SNMP) implementations. To summarize, SNMP implementations are full of nasty bugs. If you are running SNMP on your Linux systems, you should apply the available vendor updates (we've seen them, so far, from Red Hat and Yellow Dog Linux). It is important to be aware of other devices on your network that may be running SNMP, however: routers, printers, etc. Some of those could be hard to update; disabling SNMP wherever possible would be a good idea.The SNMP vulnerabilities were discovered by the Oulu University Secure Programming Group (OUSPG) of Oulu University, Finland. This is the same group which uncovered a wide variety of vulnerabilities across several LDAP products last year. OUSPG developed and applied the PROTOS Test-Suite: c06-snmpv1 as a primary investigation tool. The test-suite's purpose is to "evaluate implementation level security and robustness of ... SNMP implementations." Licensed under version 2 of the GNU GPL, OUSPG encourages widespread use of the test-suite for the evaluation and development of SNMPv1 products.
Simple Network Management Protocol (SNMP) is routinely used in installations all over the Earth for monitoring and controlling systems that include printers, routers, ATM switches, servers of all kinds and workstations. Designed in the late 80's and widely deployed in the 90's, SNMP is the most popular protocol in use to manage networked devices. It has been so successful that finding a practical alternative for a network of even moderate complexity, that can quickly and easily be put into service, is unlikely. CERT has received reports of SNMP port scanning and, as yet unverified, reports of exploitation of these vulnerabilities. If you are responsible for a network which uses SNMP for monitoring and control, you are strongly encouraged to read the CERT advisory. Security ReportsDebian security update to CUPS. The Debian project has released a security update to the CUPS printing system fixing a buffer overflow vulnerability in that package.Debian security update to faq-o-matic. The Debian Project has issued what appears to be the first update from a Linux distributor for the cross-site scripting vulnerability in faqomatic. (First LWN report: February, 7th). Debian update to wmtv. Debian has released new packages that fix a symlink vulnerability in wmtv. Autoresponder vulnerable to spamers. Autoresponder is a script for answering mail. Put it in your .forward or .qmail file, and it will reply to all incoming messages with a specified response. On Friday, 11 January 2002, someone reported on Bugtraq that autoresponder package "...could be tricked by spamers to send unsolicited mail to victim's address if option reply with copy of original message attached to response is enabled in autoresponder's configuration." The problem is fixed in version 1.15.0, and later, available from the MeepZor Free Software page. GNU Ada compiler (GNAT) advisory. CERT has issued this advisory for handling of temporary files in an unsafe manner by the GNU Ada compiler. All POSIX multi-user systems running GNAT-compiled binaries which use Ada language facilities for creating temporary files are affected. GNAT versions known to have this defect are 3.12p, 3.13p and 3.14p. The advisory also notes that "the unreleased version of GNAT from the GCC CVS fixes this security defect on GNU/Linux, but introduces another one. Its use is strongly discouraged until this problem has been addressed." UpdatesHeap corruption vulnerability in at. The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th).This week's updates:
Buffer overflow in groff. The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. This week's updates: Previous updates: Flaw in OpenLDAP. OpenLDAP versions 2.0.0 through 2.0.19 do not properly check permissions when using access control lists and a user tries to remove an attribute from an object in the directory by replacing it's values with an empty list. Schema checking is still enforced, so a user can only remove attributes that the schema does not require the object to possess. Please note that in 2.0 versions prior to 2.0.8, this flaw is not restricted to authenticated users (i.e., anonymous users can abuse the flaw as well). This week's updates: Previous updates: Remotely exploitable security problem in mutt. Most of the major distributions have provided updates for this buffer overflow vulnerabilty which was fixed in mutt versions 1.2.5.1 and 1.3.25. This is a remotely exploitable hole; applying the update is a very good idea. It was first mentioned in the January 3rd LWN security page. This week's updates: Previous updates:
This week's updates:
Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
This week's updates: Previous updates:
New updates:
ResourcesDeanonymizing Users of the SafeWeb Anonymizing Service. Although Deanonymizing Users of the SafeWeb Anonymizing Service (PDF Format) isn't about open source software, it is worth a read if you are concerned with how "fundamentally incompatible requirements" can jeopardize security. Written by researchers from Boston University and the Workplace Surveillance Project Privacy Foundation, it describes how "fundamentally incompatible requirements were realized in SafeWeb's architecture, resulting in spectacular failure modes under simple JavaScript attacks."EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
February 14, 2002
LWN Resources | |||||||||||||||||||||||||||||||||
Copyright © 2002
Eklektix, Inc., all rights reserved
Next: Kernel