[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

Red Hat mkpasswd limitations. A limitation in the Red Hat mkpasswd command was discussed on BugTraq this week. Mkpasswd is an expect script that can be used to generate random passwords. Similar to a recently reported problem with a password generator for the Palm, it seems that mkpasswd uses an inadequate seed, based on the process ID, which results in a much smaller pool of passwords than is expected.

Of course, the smaller the pool of passwords, the easier it is to brute-force a password.

In addition to the importance of using a good random seed in the password generator, the need to reseed was also discussed. Using the Tcl 8 rand() function as an example, it was shown that seeding only once produce in the range of 22,000 passwords before duplicates began to occur. The Tcl 8 rand() function uses the system clock for a seed. Alternately using a weaker seed but reseeding with each invocation, more than 45,000 passwords were generated without a duplicate occurring.

We expect an update for the Red Hat mkpasswd command will be provided in the near future. Meanwhile, sites that use password generators to assign passwords may want to look more closely at the algorithms upon which they are depending.

Disabling Module Loading Caveat. A piece of information was accidentally left out of last week's lead-in editorial, which talked about using the capability bounding set to disable the loading of kernel modules. In June of 2000, Patrick Reynolds sent in a Letter to the Editor pointing out that "/proc/sys/kernel/cap-bound maps directly to the cap_bset variable in kernel memory". As a result, unless CAP_SYS_RAWIO is disabled (it controls access to /dev/mem), it is possible to use /dev/mem to load new code into the kernel (this will require access to a valid System.map file).

Unfortunately, disabling /dev/mem will break many things, including X and potentially many other user-space programs.

The use of capability bounding sets will still assist in protecting systems from many current rootkits that use loadable kernel modules, but, as common with most security issues, they only provide a partial solution. (Thanks to Neale Pickett for pointing out our error in omitting this information last week).

Carko distributed-denial-of-service tool. A new distributed denial-of-service tool, named Carko, was reported on various systems this week. Carko is a clone of stacheldraht+antigl+yps, with apparently as little as one source code line difference. However, it has been updated to leverage much newer vulnerabilities, in particular a buffer overflow in snmpXdmid under Solaris.

Although Carko is not currently targeting Linux vulnerabilities, it is a reminder that the problem of distributed denial-of-service attacks has not been resolved. For now, the best defense for all of us is not only to close all vulnerabilities on our own systems in a timely manner, but also to encourage and support everyone else we know to do likewise. Carko is spreading because the availability of hosts with open vulnerabilities is vast.

CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for April is out. It covers computer security from a military defensive point of view, the fake Microsoft certificates, and more.

Microsoft: Closed source is more secure (SecurityFocus). SecurityFocus has put up a report from Microsoft security head Steve Lipner's talk at the RSA Conference. "Lipner slammed the open source development process, suggesting that the often-voluntary nature of creating works like the Linux operating system make it less disciplined, and less secure. 'The open source model tends to emphasize design and development. Testing is boring and expensive.'"

Reading through the comments posted to SecurityFocus revealed little support for Lipner's words, but that could be expected from an audience that is both security-savvy and extremely familiar with Open Source software. The most relevant comment we found was from "Will" who pointed out that the majority of advisories from Microsoft credit people outside their own staff for finding the security holes. That indicates that a "dedicated, trained, full time and paid" staff isn't the answer either. Neither closed source nor Open Source software is as secure as it needs to become.

Security Reports

Linux Kernel 2.4 Netfilter/IPTables vulnerability. Under Linux 2.4, IPTables is used for building firewalls. It is implemented under the NetFilter framework, a raw framework for filtering and mangling packets. A vulnerability has been reported in the manner that the RELATED state is implemented which can be exploited to potentially bypass a firewall and access ports that are assumed to be protected.

The NetFilter team has provided a patch for Linux 2.4.3. Note that the patch may be subject to future revision; a URL is provided where the latest version can be found. Presumably the patch, or its future incarnation, will be provided in an upcoming version of 2.4. Meanwhile, the original posting provides details that network engineers will want to examine to improve and tighten the use of the RELATED state.

Samba 2.0.8 security issue. Andrew Tridgell posted a note to BugTraq that Samba 2.0.8 has been released to address a significant security vulnerability that allows local users to corrupt local devices (such as raw disks).

cfingerd format string vulnerability. A format string vulnerability has been reported in cfingerd ("Configurable Finger Daemon") which can be used remotely to gain root privileges and execute arbitrary code. An exploit for this vulnerability has been published and a patch to fix the problem is available.

  • Debian

    Debian Security Advisory for exuberant-ctags. Colin Phipps discovered that the exuberant-ctags package, as distributed with Debian GNU/Linux 2.2, creates temporary files insecurely. This has been fixed in version 1:3.2.4-0.1 of the Debian package, and upstream version 3.5. Other distributions that ship this package will also be impacted.

    bubblemon kmem permissions vulnerability. bubblemon, an application that displays CPU and memory load as bubbles in a jar of water, is installed setgid kmem under FreeBSD. As a result, it can be exploited to execute arbitrary commands under group kmem. It has not been reported whether or not the same problem crops up on other BSD systems or on Linux. A new version, Bubblemon 1.32, has been released with a fix for the problem.

    web scripts. The following web scripts were reported to contain vulnerabilities:

    • Crosswind's Cyberscheduler is reported to contain a buffer overflow in the variable that holds the time zone information. An exploit for the problem has been published and a fix is reportedly available on the Crosswind website.

    Commercial products. The following commercial products were reported to contain vulnerabilities:

    • Lightwave ConsoleServer 3200, a console switch, discloses sensitive information to non-authenticated users. A hardware upgrade (a new network card using embedded Linux) to resolve the problem is scheduled for this summer. Until then, the only workaround is to firewall the device to prevent connections from outside the local network.

    • A format string vulnerability has been reported in Hylafax hfaxd. Successful exploitation of the vulnerability will allow an attacker to gain root privileges. Hylafax has released patches to fix the problem.

    • Cisco VPN 3000 Concentrator is vulnerable to a denial-of-service attack based on its inability to properly handle specific malformed IP packets. Upgraded firmware to correct the problem is available.

    • NCM Content Management System contains a perl script, content.pl, which does insufficient input checking. As a result, it can be exploited to execute arbitrary SQL queries. An upgrade to fix the problem has been released.

    • Trend Micro Interscan Viruswall, a software scanning package that watches SMTP, FTP and HTTP transfers, contains multiple CGI programs that have buffer overflows in them. As a result, the package can be exploited remotely to gain root access. An upgrade to fix the problem has been made available.

    • The Cisco Catalyst 5000 Series has been reported vulnerable to a network storm as a result of receiving a 802.1x frame on an STP block port. Software updates for the problem are either available now or promised in the near future.

    Updates

    Netscape 4.76 GIF comment vulnerability. Check the April 12th LWN Security Summary for the original report. The vulnerability can be used to embed executable Javascript in GIF comments which are then executed by the viewer when loading the GIF file. This has been fixed in Netscape 4.77, which is available for download from ftp.netscape.com.

    This week's updates:

    Previous updates:

    ntp remotely exploitable static buffer overflow. An exploit for a static buffer overflow in the Network Time Protocol (ntp) was published on April 4th. This exploit can allow a remote attacker to crash the ntp daemon and possibly execute arbitrary commands on the host. Patches and new packages to fix this problem came out quickly. It is recommended that you upgrade your ntp package immediately. If you cannot, disabling the service until you can is a good idea. For more details and links to related posts, check BugTraq ID 2540.

    This week's updates:

    Previous updates:

    IP Filter fragment caching vulnerability. Check the April 12th LWN Security Summary for the original report. IP Filter 3.4.17 has been released with a fix for the problem. BugTraq ID 2545.

    This week's updates:

    Multiple FTP daemon globbing vulnerability. Check the April 12th LWN Security Summary for the original report.

    This week's updates:

    Previous updates:

    ptrace/execve/procfs race condition in the Linux kernel 2.2.18. Exploits were released the week of March 29th for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. As a result, an upgrade to Linux 2.2.19 is recommended.

    Last week, Alan Cox put up the Linux 2.2.19 release notes, finally giving the specifics on all the security-related fixes in 2.2.19 (all thirteen of them!) and giving credit to the Openwall project and Chris Evans, for the majority of the third-party testing and auditing work that turned up these bugs. Fixes for the same bugs have also been ported forward into the 2.4.X kernel series.

    This week's updates:

    Previous updates:
    • Immunix (March 29th)
    • Linux 2.2.19 release notes
    • Caldera, 2.2.19 security fixes (April 5th) backported to 2.2.10 and 2.2.14, the kernels used in various Caldera products
    • Trustix (April 12th)
    • Progeny (April 12th)
    • Progeny, advisory updated due to error in update instructions. (April 12th)

    OpenSSH 2.5.2p2 released. OpenSSH 2.5.2p2 was announced the week of March 29th. It contains a number of fixes (including improvements in the defenses against the passive analysis attacks discussed in the March 22nd LWN security page) and quite a few new features as well.

    This week's updates:

    Previous updates:

    pico symbolic link vulnerability. Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.

    This is the first distribution update we've seen for this four-month-old vulnerability.

    This week's update:

    Resources

    Hacker Tools and Their Signatures, Part One: bind8x.c. Toby Miller has started a series of articles detailing hacker exploits/tools and their signatures. The first article in this series focuses on bind8x.c. "The discussion will cover the details of bind8x.c and provide signatures that will assist an IDS analyst in detecting it. This paper assumes that the reader has some basic knowledge of TCP/IP and understands the tcpdump format".

    New Security Mailing Lists. In an apparent effort to lessen the load on the BugTraq mailing list, Security Focus has announced four new mailinglists:

    • SECTOOLS - For the announcement of new or updated (free) security tools.
    • SECPAPERS - For the announcement of new security papers, articles, & books.
    • SECEVENTS - For the announcement or call for papers for events (e.g. conferences, symposia, etc).
    • SECPROD - For the announcement of new or updated security products.

    Adore Detection. Duncan Simpson wrote in this week to point out a couple of tools that can be used to detect the Adore worm, including rkscan and checkps 1.3.2. "Checkps 1.3.2 in kill scanning mode should now detect adore due to two additional tests as to whether a pid really exists (adore "fixes" the kill system call)".

    Events

    Upcoming Security Events.
    Date Event Location
    April 20 - 22, 2001First annual iC0N security conferenceCleveland, Ohio, USA
    April 22 - 25, 2001Techno-Security 2001Myrtle Beach, SC, USA
    April 24 - 26, 2001Infosecurity Europe 2001London, Britain, UK
    May 13 - 16, 20012001 IEEE Symposium on SecurityOakland, CA, USA
    May 13 - 16, 2001CHES 2001Paris, France
    May 29, 2001Security of Mobile Multiagent Systems(SEMAS-2001)Montreal, Canada
    May 31 - June 1, 2001The first European Electronic Signatures SummitLondon, England, UK
    June 1 - 3, 2001Summercon 2001Amsterdam, Netherlands
    June 4 - 8, 2001TISC 2001Los Angeles, CA, USA
    June 5 - 6, 20012nd Annual IEEE Systems, Man, and Cybernetics Information Assurance WorkshopUnited States Military Academy, Westpoint, New York, USA
    June 11 - 13, 20017th Annual Information Security Conference: Securing the Infocosm: Security, Privacy and RiskOrlando, FL, USA.
    June 17 - 22, 200113th Annual Computer Security Incident Handling Conference (FIRST 2001)Toulouse, France

    For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

    Section Editor: Liz Coolbaugh


  • April 19, 2001

    LWN Resources
    Security alerts archive

    Secured Distributions:
    Astaro Security
    Castle
    Engarde Secure Linux
    Immunix
    Kaladix Linux
    NSA Security Enhanced
    Openwall GNU/Linux
    Trustix

    Security Projects
    Bastille
    Linux Security Audit Project
    Linux Security Module
    OpenSSH

    Security List Archives
    Bugtraq Archive
    Firewall Wizards Archive
    ISN Archive

    Distribution-specific links
    Caldera Advisories
    Conectiva Updates
    Debian Alerts
    Kondara Advisories
    Esware Alerts
    LinuxPPC Security Updates
    Mandrake Updates
    Red Hat Errata
    SuSE Announcements
    Turbolinux
    Yellow Dog Errata

    BSD-specific links
    BSDi
    FreeBSD
    NetBSD
    OpenBSD

    Security mailing lists
    Caldera
    Cobalt
    Conectiva
    Debian
    Esware
    FreeBSD
    Kondara
    LASER5
    Linux From Scratch
    Linux-Mandrake
    NetBSD
    OpenBSD
    Red Hat
    Slackware
    Stampede
    SuSE
    Trustix
    turboLinux
    Yellow Dog

    Security Software Archives
    munitions
    ZedZ.net (formerly replay.com)

    Miscellaneous Resources
    CERT
    CIAC
    Comp Sec News Daily
    Crypto-GRAM
    LinuxLock.org
    LinuxSecurity.com
    Security Focus
    SecurityPortal
     

    Next: Kernel

     
    Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
    Linux ® is a registered trademark of Linus Torvalds