[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

The responsibility of the individual. While not laying blame on individuals for security problems, two articles this week took a look at educating non-experts about what they can do to help. The Defense Department talked about simple things to do to make life harder for the bad guys. "Use different passwords at Web sites and on every machine you use. Reject all site and system offers to "remember" you and your password. Bad guys know many people use just one password, so attacking an easily hacked site gives them "skeleton keys" to tough ones".

Meanwhile, a survey of British employees took a look at bad password practices. "The survey, conducted by UK domain registry CentralNic, revealed that nearly half of the workers polled use their own name or a nickname and a third used a favorite sports team or celebrity for their passwords". This is one lesson we've seen taught over and over again for the past twenty years. Yet there are still people who haven't heard it yet.

Multi-nation cybercrime pact gets OK (ZDNet). ZDNet's Robert Lemos reported on ratification of the Convention on Cyber-Crime by a committee on crimes for the Council of Europe. "Last month, the European Committee on Crime Problems bowed to pressure from international rights groups and included some provisions in the treaty to limit surveillance to criminal investigations and added some safeguards to civil liberties. But it's still not enough, [James X.] Dempsey said. 'Unfortunately, it remains a fundamentally imbalanced document,' he said".

Ethics challenge' softens hacker con (SecurityFocus). SecurityFocus reports on a planned CyberEthical Surfivor, a new challenge planned for this year's Def Con Nine conference, being held July 13th through the 15th in Las Vegas, Nevada, USA. "CyberEthical Surfivor will pit two teams of nine hackers head-to-head in a public struggle with weighty moral decisions. Example: You are seventeen-years-old, about to graduate to an Ivy League university when a vindictive teacher monkey-wrenches your academic dreams by wrongly flunking you on a final exam. The Principal won't listen to you. Should you crack the school's computer and give yourself the grade you deserve?"

Security Reports

Nasty Samba security hole. The Samba team sent out an urgent security advisory regarding a remotely-exploitable hole in all versions of the code. The security hole involves the use of the '%m' macro in /etc/smb.conf. Replacing '%m' with '%I' is one possible workaround. Note that not all distributions are vulnerable by default. Nonetheless, the Samba team has made patches available and an upgrade is strongly recommended, since this can potentially be exploited to overwrite a Samba log file to gain root access.

The vulnerability was originally found and reported by Michal Zalewski.

OpenSSH PAM session evasion vulnerability. Christian Kraemer reported that OpenSSH fails to call pam_open_session if no pty is used. As a result, on a system where PAM is used to enforce additional login restrictions, OpenSSH can be used to evade such restrictions. OpenSSH 2.9p1 and earlier are reported vulnerable. Check BugTraq ID 2917 for more details.

Portable OpenSSH team member Damien Miller acknowledged the problem, which was introduced because some PAM modules on some platforms "fail utterly or perform in unpredictable ways" when called without a controlling terminal. Meanwhile, the call to pam_open_session has been reintroduced in CVS and will be included in the next stable release.

SGI Performance Co-Pilot (pmpost) symbolic link vulnerability. SGI Performance Co-Pilot is a product originally developed by SGI for use on IRIX systems. However, SGI has Open Sourced the product under the GPL and it is available for Linux systems.

A symbolic link vulnerability has been reported in pmpost, one of the utilities shipped with Performance Co-Pilot. An exploit has been published. The problem can be resolved either by removing the setuid bit from pmpost or by upgrading to Performance Co-Pilot version 2.2.1-3.

ePerl preprocessor input validation vulnerability. ePerl, also known as Embedded Perl, expands Perl 5 programming statements within text files. It can be used as a filter to generate files or as a webserver scripting language.

David Madison reported that all C-based versions of ePerl, including the current versions 2.2.14, appeared to be vulnerable to an input verification vulnerability. When including untrusted files, ePerl fails to prevent such files from, in turn, including additional files without filtering perl commands from such files. Workarounds for the problem exist. Alternately, David suggested using the perl-based ePerl instead of the C-based version.

w3m buffer overflow vulnerability. w3m is a text-based browser similar to Lynx. A buffer overflow in w3m can be triggered when a base-64 encoded string longer than 32 characters is found in a MIME header field. Source code patches to fix the problem were posted to the w3m developers' list.

cfingerd buffer overflow and format string vulnerabilities. Both a buffer overflow and a format string vulnerability were reported this week in cfingerd by Steven Van Acker, who also provided unofficial patches for resolving the problems. These vulnerabilities can be exploited locally to gain elevated privileges, possibly including root access. Check BugTraq ID 2914 for more details.

scotty (ntping) buffer overflow. Scotty is a Tcl-based network management package. A buffer overflow has been reported in ntping, a component of scotty. This can be exploited locally to execute arbitrary code. Scotty 2.1.10 and earlier are vulnerable; scotty 2.1.11 has been released with a fix for the problem.

eXtremail remote format string vulnerability. eXtremail, a freeware SMTP/POP3 mailserver (free to use, no specific license, no source found) has been reported to contain a remotely-exploitable format string vulnerability. eXtremail runs currently on Linux and AIX. It runs as root, so this vulnerability can be used by a remote attacker to gain root access on the local server running eXtremail. An exploit has been published. eXtremail 1.1.9 and earlier are affected; a binary version of eXtremail 1.1.10 has been made available to resolve the problem on Linux; no AIX version as of yet. Disabling the service is recommended until an upgrade is in place.

LPRng + tetex tmplink vulnerability. Reported in Bug ID #43342 in Red Hat's Bugzilla, when both LPRng and tetex are installed, a tmplink vulnerability is created in Red Hat 7.0 and 7.1 that can result in a local attacker gaining elevated privileges. A patch is currently in Red Hat's Rawhide distribution; no advisory has been released so far. Check this posting for additional details. It is not known whether or not this might impact other distributions.

GNATS-Web input verification vulnerability. GNATS-Web is a PHP-based interface for the GNATS open-source bug-tracking and problem-accounting system. Joost Pol has reported a vulnerability in gnatsweb where the name of a help file could be provided via a URL, but the input was not properly checked before being used. The problem was acknowledged by the GNATS-Web team and patches provided.

web scripts. The following web scripts were reported to contain vulnerabilities:

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

  • Symbol Technologies Firmware, embedded in a variety of Wireless Access Points, can be made to disclose the WEP key from a wired network interface using an SNMP query. This could allow the wireless network to be sniffed or accessed without authorization. Upgrades for the firmware are reported to be "forthcoming".

  • A similar problem has also been reported with wireless products using the Atmel chipset, including the Netgear ME102 1.3 and the Linksys WAP11 1.3. SNMP access can, by default, be acquired by remote attackers and used to gather information. Firmware versions 1.4 for the two products are not vulnerable, so an upgrade will resolve the problem.

  • DCForum's DCShop, a CGI-based e-commerce system, has been reported to contain a file disclosure vulnerability in a beta version of the product that may disclose credit card information and/or the administrator login and password. The vendor has issued an advisory recommending that the beta version be used by developers only, not on commercial deployments.

  • Cisco has released an advisory warning of an authorization vulnerability in their IOS HTTP server. The HTTP server can be used, under some circumstances, to bypass authorization and take control of the device. Cisco IOS releases 11.3 and later are affected. Patches and upgrades have been made available to resolve the problem; until they are installed, the HTTP server should be disabled. BugTraq ID 2936.

  • Cisco also reported that all of their routers and switches running Cisco IOS, Catalyst 6000 switches running CatOS and the Cisco PIX firewall are running vulnerable versions of SSH based on the 1.X protocol. Exploiting weaknesses in the protocol, arbitrary commands can be inserted into existing SSH sessions, unauthorized information can be collected and the session key may be brute-forced. Updated software is available for all products to resolve the problems.

  • Kaspersky AntiVirus (KAV), an anti-viral add-on for sendmail, has been reported to be vulnerable to a format string vulnerability which can be exploited to cause a denial-of-service and possibly execute code with elevated privileges. Kaspersky Lab has patches available; contact support@kaspersky.com to get them.

Updates

fetchmail buffer overflow. Check the June 21st LWN Security Summary for the original report. This is remotely exploitable and could lead to root access if fetchmail is run by root. An upgrade to fetchmail 5.8.6 will resolve the problem.

This week's updates:

Previous updates:

rxvt buffer overflow. Check the June 21st LWN Security Summary for the original report from Samuel "Zorgon" Dralet. A patch is available to fix the problem.

This week's updates:

Previous updates:

XFree86 X font server (xfs) denial-of-service vulnerability. Check the June 14th LWN Security Summary for the original report. This is only applicable to font servers that are listening to TCP/IP, which is likely only the case for a machine that is serving X terminals.

This week's updates:

  • Red Hat, updates to XFree86 3.3.6 for Red Hat 6.2, 7.0 and 7.1

exim format string vulnerability. Check the June 14th LWN Security Summary for the original report.

This week's updates:

Previous updates:

ispell symbolic link vulnerabilities. Check the June 7th LWN Security Summary for the original report.

This week's updates:

Previous updates:

gnupg format string vulnerability. Check the May 31st LWN Security Summary for the initial report. gnupg 1.0.5 and earlier are vulnerable; gnupg 1.0.6 contains a fix for this problem and an upgrade is recommended. Werner Koch also sent out a note warning of minor build problems with gnupg 1.0.6 when compiled without gcc.

This week's updates:

Previous updates:

KDEsu tmplink vulnerability. Check the May 3rd LWN Security summary for details. Fixes for the problem are included in kdelibs-2.1.2. The KDE Project recommends an upgrade both to kdelibs-2.1.2 and to KDE 2.1.1.

This week's updates:

Previous updates:

Linux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19th LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3. Note that the patch may be subject to future revision; a URL is provided where the latest version can be found.

This week's updates:

  • Red Hat, 7.1, default configuration not vulnerable
Previous updates:

Samba local disk corruption vulnerability. Check the April 19th LWN Security Summary for the original report. This problem has been fixed in Samba 2.0.9 and an upgrade is recommended. Note that all versions of Samba from (and including) 1.9.17alpha4 are vulnerable (except 2.0.9, of course). BugTraq ID 2617.

Note that 2.0.8 was originally believed to fix this problem, but did not. As a result, some of the original distribution updates had to be re-released with 2.0.9. Samba 2.2.0 users are not affected by this problem.

This week's updates:

Previous updates:

Apache directory listing error. Check the March 8th LWN Security Summary for the initial report. Apache 1.3.18 and earlier are vulnerable; Apache 1.3.19 contains a fix for the problem.

This week's updates:

Previous reports:

ncurses buffer overflow. Check the October 12th, 2000 LWN Security Summary for the initial report of this problem. Note that the buffer overflow impacts applications linked against ncurses. Such applications must be relinked against a fixed ncurses or curses library.

This week's updates:

Previous updates:

esound tmpfile link vulnerability. Check the September 7th LWN Security Summary for the original report of this problem from FreeBSD.

This week's updates:

Previous updates:

Resources

  • samhain 1.2.2 was released this week and is reported to include major bugfixes.

  • Geoff Galitz released a white-paper entitled Rootkits: Hiding a Successful System Compromise. "We will discuss, in general terms, what a rootkit is and the principle of operation. We will not discuss any particular rootkit in detail, except where certain modules are noteworthy".

.

Events

Final Reminder: Black Hat Briefings. A final reminder for the Black Hat Briefings 2001 USA, scheduled for July 9th through the 12th in Las Vegas, Nevada, USA, was sent out this week. "This year's topics include: Reverse Engineering, the Honey Net Project, the CVE, 802.11b WEP security, ICMP scanning, SQL security configuration, GSM and WAP security, and more".

Upcoming Security Events.
Date Event Location
July 11 - 12, 2001Black Hat Briefings USA '01Las Vegas, Nevada, USA.
July 17, 2001The Open Group Security Forum briefingAustin, Texas
August 6 - 10, 2001CERT Conference 2001Omaha, NE, USA.
August 7, 2001CIBC World Markets First Annual Security & Privacy ConferenceNew York, NY, USA.
August 13 - 17, 200110th USENIX Security Symposium 2001 ConferenceWashington, D.C.
August 13 - 17, 2001HAL2001Enschede, The Netherlands

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


June 28, 2001

LWN Resources
Security alerts archive

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds