Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page

Security

News and Editorials

How Can You Defend Against a Superworm? (Linux Journal). Don Marti speaks with Brandon Wiley, coordinator of the Tristero project, about the threat of "superworms" and what might be done to defend against it. "Linux administrators see log files full of failed attack attempts when some other platform is subject to a worm attack. Dumb worms might be a nuisance and a waste of bandwidth. But what if worms were a little smarter about which hosts to attack, when to attack and with what exploit? What if a worm developer could update all the running worms, on the fly, with a new exploit?"

Lock in the Nessus monster (ARNnet). Con Zymaris writes about selling security scanning using nessus as a service. " Here's the crux of the analysis, however: no matter how good these [proprietary] tools are, all pale by comparison to Nessus. In all the security expert reports I have read in the past 18 months, Nessus is considered the best-of-breed security vulnerability scanning product, by a long margin. That it is open source, has long-term viability and is totally free of any licensing or use costs are mere bonuses, and great for reducing our cost of establishing this business service."

Nessus does not call home. Despite some rumors to the contrary at the recent CanSecWest conference, Renaud Deraison reassures us that "Nessus does not call home. It never does, never did and never will. However, the checks [it performs] have a side effect that may have the naughty side effect to sending some packets to nessus.org, which can make people think I have the ability to monitor their scans."

Sending a wake-up call to the W3C (News.com). Rich DeMillo Hewlett-Packard's vice president of technology strategy tells us why "Linux will be the first operating system" HP will port to their Secure Platform Architecture (SPA). " We think it makes great sense to do this in the town square by calling on the trust-enhancing ability of the open-source community with its rigorous peer review, open publishing and testing methodologies."

Security Reports

DHCP remotely exploitable format string vulnerability. The May 8, 2000 release of ISC DHCP 3.0p1 fixes this serious vulnerability in ISC DHCPD 3.0 to 3.0.1rc8 inclusive. So far, the only distributor update we have seen for this vulnerability is this one from Conectiva.

We encourage dhcp users to upgrade, disable dhcp or, at a minimum, consider using ingress filtering as described in the CERT advisory.

Netfilter NAT/ICMP information leak. "Netfilter ("iptables") can leak information about how port forwarding is done in unfiltered ICMP packets. The older "ipchains" code is not affected." The bug exists in the iptables package in all versions of the 2.4.4 kernel up to "(at least) 2.4.19-pre6".

A sufficient workaround is to filter out untracked local icmp packets using the following command:

  iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP

Updates which fix the problem were released this week by:

Mandrake (May 9, 2002)
Red Hat (May 9, 2002) (Red Hat's firewall configuration tools use "ipchains"; such configurations are not vulnerable)

Red Hat advisory for sharutils. Updated packages for sharutils are available which fix potential privilege escalation using the uudecode utility.

Red Hat Security Advisory. Updated perl-Digest-MD5 packages are available which work around a bug in the utf8 interaction between perl-Digest-MD5 and Perl.

Gaim arbitary email reading vulnerability. Gaim 0.57 has a bug which allows a local attacker to gain full access to other gaim users hotmail accounts. A fix is available. The problem has been fixed in the nightly CVS, and will be fixed in version 0.58. "Gaim is an all-in-one IM client that resembles AIM. Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber, Napster, Zephyr, and Gadu-Gadu, all at once. Gaim is NOT endorsed by or affiliated with AOL, Yahoo, MSN or Napster."

Quake II 3.2x server cvar leak. A problem in the Quake II server for Linux allows an attacker to reveal the servers rcon password. Details of the affected source code and patched binaries are available.

web scripts. The following web scripts were reported to contain vulnerabilities:

NOCC 0.9.5, and possibly earlier versions, have a cross-site scripting vulnerability. The NOCC team is working on a fix. "NOCC is a webmail client written in PHP. It provides webmail access to IMAP and POP3 accounts."

Updates

GNU fileutils race condition. A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).

This week's updates:

Mandrake (May 16, 2002)

Previous updates:

Caldera (May 13, 2002) (revision to the April 26th advisory)
SuSE (April 8, 2002) (see the note under Pending vulnerabilities, fileutils)

Multiple vulnerabilities in icecast. Icecast is a streaming audio broadcasting system. Version 1.3.12 was released on April 10th. "This release is a security update and all users are highly encouraged to upgrade immediately or apply the relevant patches to their own versions. Remember, never run icecast as a privileged user, especially not as root." (First LWN report: May 2).

This week's updates:

Caldera (May 10, 2002)

Previous updates:

Gentoo (April 26, 2002)
Red Hat (April 24, 2002) (Red Hat Powertools)

Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow vulnerability in all prior versions. However, newer versions, including 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions that was reported by Nick Cleaton. (First LWN report: May 9).

Both problems appear to have been reported and fixed in FreeBSD some months ago. The CIAC report on the vulnerability in versions prior to 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21, 2002.

This week's updates:

Mandrake (May 16, 2002) (tcpdump 3.6.2)

Previous updates:

Debian (November 20, 2000) (fixed in tcpdump 3.4)
Red Hat (February 12, 2002) (tcpdump 3.6.2 - advisory first issued June 28, 2001)
Conectiva (May 7, 2002) (tcpdump 3.6.2)

Resources

Linux security week. The and publications from LinuxSecurity.com are available.

Fenris 0.02 has been released by Michal Zalewski. "Fenris is a multipurpose tracer, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics." Michal has also written these hints for those using Fenris for The Reverse Challenge contest from the folks at Honeynet. His "quick write-up is not intended to spoil the fun, so it is safe to have a look."

Events

Upcoming Security Events.

The 2002 Edinburgh Financial Cryptography Engineering has issued a call for papers. On June 28th and 29th 2002 Edinburgh, Scotland "is again host to the international engineering conference on Financial Cryptography. Individuals and companies active in the field are invited to present and especially to demonstrate Running Code that pushes forward the "state of the art"."

Date Event Location

May 16 - 17, 2002 14th Annual Canadian Information Technology Security Symposium(CITSS) (Ottawa Congress Centre)Ottawa, Ontario, Canada

May 27 - 31, 2002 3rd International SANE Conference(SANE 2002) Maastricht, The Netherlands

May 29 - 30, 2002 RSA Conference 2002 Japan (Akasaka Prince Hotel)Tokyo, Japan

May 31 - June 1, 2002 SummerCon 2002 (Renaissance Hotel)Washington D.C., USA

June 17 - 19, 2002 NetSec 2002 San Fransisco, California, USA

June 24 - 28, 2002 14th Annual Computer Security Incident Handling Conference (Hilton Waikoloa Village)Hawaii

June 24 - 26, 2002 15th IEEE Computer Security Foundations Workshop (Keltic Lodge, Cape Breton)Nova Scotia, Canada

June 28 - 29, 2002 Edinburgh Financial Cryptography Engineering 2002 Edinburgh, Scotland

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

May 16, 2002

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel