Linux in the news
All in one big page
See also: last week's Security page.
News and editorials
OpenSSH now supports the SSH 2 protocol. It was August 28th, 1998, when SSH Communications announced their license for ssh 2.0.8. That license restricted all commercial use of ssh 2.X without a licensing agreement. As a result, ssh 2.X was not widely packaged for Linux and more attention has been paid to tracking issues in ssh 1.X than ssh 2.X.
Thanks to the OpenBSD team, that has all changed again. The OpenBSD Journal reported last Thursday that OpenSSH now supports the SSH 2 protocol and is still backwards compatible with SSH 1. One advantage of the SSH 2 protocol that the OpenBSD Journal mentioned was its use of DSA instead of the patented RSA algorithm. In addition, the newer protocol was intended to be more secure, or at least better designed, than its predecessor.
Analysis of mstream DDoS tool. David Dittrich has published an analysis of mstream, another distributed denial of service tool for which the source code was recently released. Check it out for information on the signature of this most recent attack.
David's analysis finished up with two strong recommendations. The first was a call for more training for systems administrators. "First, and fundamentally, intruders will tend to have an even greater advantage over unskilled system administrators. It is becoming ever more important that systems administrators -- Unix, NT, whatever -- have training as a primary task, not a luxury or burden to be avoided." This recommendation is up against some tough competition. Due to the current shortage of good technical staff, businesses are demanding systems that are easier to administer ... which generally leads to them being administered by less skilled staff.
He also called for systems administrators to actively deal with and learn from intrusions, rather than just reinstalling and moving on. "Second, incident response and forensic investigation may be made more difficult, if not impossible, as the simple "solution" that the unskilled Unix administrator will take is to give up and just re-install the operating system. This ill-advised choice of action destroys any evidence that may exist on the system and sets the system up for a subsequent intrusion because the same security precautions they did not take before the incident will usually not be taken this time either." This comment, also wise, is likely to continue to get lost in the pressure to get back up and running as soon as possible and get back to other work. In other words, both these recommendations are good, but are unlikely to be used unless companies start taking security seriously enough to hire adequate staff to handle both their normal systems administration needs and the demands of good security.
CERT advisory on bind vulnerabilities. The Computer Emergency Response Team has put out this advisory regarding continued exploitation of vulnerabilities in older versions of bind. Fixes were made available months ago, but, apparently, many sites have not installed them. Now might be a good time to check your systems and be sure that all of them that are running bind have been upgraded. (And note that, depending on your distribution, you may be running it without having explicitly set it up).
SuSE libsafe analysis. Marc Heuse posted another brief analysis of libsafe, explaining why SuSE does not plan on integrating it into their system. "I can not remember a vulnerability in a network service for the last year which this tool would have prevented. Therefore: as long as this tool is not enhanced to also protect open/fopen calls against symlink/hardlink/pipe attacks, several more buffer overflow types, system/exec* function protection etc. it is not useful to use this tool." (Thanks to Fred Mobach.)
Linux kernel knfsd vulnerability. A vulnerability in the knfsd daemon leaves a host system vulnerable to a denial-of-service attack that can bring down the NFS service, reports Chris Evans. This impacts both the 2.2 stable tree and the 2.3 development tree. A patch against Linux kernel 2.2.15pre19 has been made available and is included in his note.
Note that the Red Hat kernel update we list here fixes this problem, plus others, including the IP masquerading vulnerability we discussed on March 30th. SuSE also responded to the recent security reports, but is waiting for the "any day now" release of 2.2.15 to provide updated packages. Last, but not least, please remember that the installation of a kernel update will always require care and attention.
SuSE: Gnomelib buffer overflow. An exploit for a buffer overflow in Gnomelib has been posted to BugTraq and confirmed to work on SuSE 6.3 and 6.4. A workaround, according to the SecurityFocus vulnerability database, is to remove the setuid and setgid bits on all Gnome based executables. Red Hat 6.X, Linpus 6.3 and Debian are reported not to be vulnerable. SuSE has acknowledged the problem, warning that the issue depends on the version of Gnome and may therefore impact older releases of other vendors. They indicated that a fix should be forthcoming soon.
Remotely exploitable hole in Sniffit. Sniffit, a widely-used packet sniffer, has been reported to contain a remotely exploitable buffer overflow, affecting version 0.3.7beta and all prior versions that log mail headers. A minor change to the source code is given that should fix the problem.
Gnapster: arbitrary read file access. Gnapster 1.3.9 has been released and contains, along with other bugfixes and changes, a fix for a vulnerability that can allow a user to view arbitrary files on the system.
Cisco Vulnerabilities. Cisco IOS, which runs on a variety of routers, is vulnerable to a denial-of-service attack if the router has a web server running on it. Cisco has acknowledged the problem and provided a work-around. They will provide a formal advisory when they have a full fix available.
In addition, many commands documented to require elevated privileges are actually usable without them, according to this report from Fernando Montenegro. The report includes configuration commands that can be executed to resolve the problem. He also indicates that Cisco's Product Security Incident Response Team has confirmed the issue and approved the recommended workaround.
SuSE cron/aaabase.We mentioned in last week's issue that a problem had been reported on SuSE systems where a cron job installed by default allowed any file on the system to be deleted, via a /tmp file link. The SuSE package involved is called aaabase. Here are the distribution responses to the problem.
nmap security scanner version 2.50. A new, stable version of the nmap security scanner has been released. This is the first stable release in slightly over a year and contains many new features.
May/June security events.
May 14-18, 2000. EuroCrypt 2000, Bruges (Brugge), Belgium.
May 14-17, 2000. 2000 IEEE Symposium on Security and Privacy, Oakland, California, USA.
June 12-14, 2000. NetSec 2000, San Francisco, California, USA.
June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA.
June 27-28, 2000. CSCoRE 2000, "Computer Security in a Collaborative Research Environment", Long Island, New York, USA.
Section Editor: Liz Coolbaugh
May 4, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Nexus
Secure Linux Secure Linux (Flask)
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily
Linux Security Audit Project