April 9, 2004

Linux Advisory Watch - April 9, 2004

Author: Benjamin D. Thomas

This week, advisories were released
for the Linux kernel, interchange, fte, sysstat, oftpd, squid, heimdal, tcpdump,
portage, kde, tcpdump, sysstat, ClamAV, Automake, and mplayer. The distributors
include Debian, Gentoo, Mandrake, and Turbolinux.

Recently, I stumbled across a relatively
new tool called AFICK. It stands for Another File Integrity CHecker. It is similar
to both Tripwire and AIDE. AFICK is GPLed and completely written in PERL. It
is extremely flexible has been tested on a wide range of Linux, Windows, and
Unix system. According to the AFICK project website, it has a decent performance
advantage over AIDE. However, I have not independently verified this. If you're
looking for a new toy to play with, I recommend giving it a try.

Installing and using AFICK is a
piece of cake. The core piece of code is command line based. A perl-based GUI
and webmin module is also available for easy administration. AFICK is available
as an independent tar.gz, zip, RPM, and Debian package. It is good idea to take
a look at the afick.conf file before attempting to execute the script.

AFICK can be used with only a few
simple commands. To use AFICK, an OS configuration file must be specified and
then your system initialized. This can be done with the following command:

# afick.pl -c linux.conf
-i

During the initialization process
it builds a database of checksums for all files on your system. Next, to compare
the checksums of your files and the values stored in the database, run the following
command:

# afick.pl -c linux.conf
-k

After making changes to a system,
it is necessary to update the checksum database. Updating is also easy:

# afick.pl -c linux.conf
-u

As with all integrity checking software,
it is advisable to create a cron-job that will compare the files checksums with
a database at a regular interval. Also, the integrity of the database is very
important. If this is compromised, further changes to the system may go undetected.
Write protected media can be used to help this problem.

While the commands above may seem
simple, its functionality is not limited to those alone. A full listing of command
line option are available on the AFICK website:

http://afick.sourceforge.net/man.html

 

Until next time, cheers!
Benjamin D. Thomas

 

LinuxSecurity
Feature Extras:

Next
Generation Internet Defense & Detection System

- Guardian Digital has announced the first fully open source system designed
to provide both intrusion detection and prevention functions. Guardian Digital
Internet Defense & Detection System (IDDS) leverages best-in-class open
source applications to protect networks and hosts using a unique multi-layered
approach coupled with the security expertise and ongoing security vigilance
provided by Guardian Digital.

Interview
with Siem Korteweg: System Configuration Collector

- In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.

Security:
MySQL and PHP

- This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
Archive
] - [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 
Distribution: Debian
  4/5/2004 kernel
    2.4 mips/pa-risc
Privilege escalation vulnerabilities

Herein is combined the Debian advisories for the same kernel bugs on both
the mips and pa-risc platforms.

Debian advisory 4190

 
  4/5/2004 interchange
    Missing
input sanitation

This vulnerability can be exploited by an attacker to expose the content
of arbitrary variables.

Debian advisory 4191

 
  4/5/2004 fte
    Multiple
buffer overflow vulnerabilities

This patch removes setuid root from vfte, which has a number of known buffer
overflows.

Debian advisory 4192

 
  4/5/2004 sysstat
    Insecure
temporary file vulnerability

As usual for temporary file vulnerabilities, this allows local users to
read/overwrite arbitrary files with the permissions of the running user.


Debian advisory 4193

 
  4/5/2004 oftpd
    Denial
of service vulnerability

A remote attacker could cause the oftpd process to crash by specifying a
large value in a PORT command.

Debian advisory 4194

 
  4/5/2004 squid
    ACL bypass
vulnerability

A URL can be crafted to be ignored (and automatically pass) by Squid's ACL
system.

Debian advisory 4195

 
  4/6/2004 heimdal
    Cross-realm
impersonation vulnerability

Patch fixes an error which allows someone with control over a realm to impersonate
anyone in the cross-realm trust path.

Debian advisory 4197

 
  4/6/2004 xine-ui
Insecure temporary file vulnerability
    Cross-realm
impersonation vulnerability

Bug allows attacker to read/write arbitrary files with the permissions of
the program user.

Debian advisory 4198

 
  4/7/2004 tcpdump
    Denial
of service vulnerability

Crafted invalid ISAKMP packets can remotely crash tcpdump.

Debian advisory 4203

 
 
Distribution: Gentoo
  4/6/2004 Portage
    Insecure
temporary file vulnerability

Exploitation of this bug could allow an attacker to wipe out the contents
of an arbitrary file.

Gentoo advisory 4199

 
  4/6/2004 kde
    Buffer
overflow vulnerability

KDE-PIM may be vulnerable to a remote buffer overflow attack that may allow
unauthorized access to an affected system.

Gentoo advisory 4200

 
  4/6/2004 tcpdump
    Multiple
buffer overflows

Attacker could exploit this to execute arbitrary code with the permissions
of the 'pcap' user.

Gentoo advisory 4201

 
  4/7/2004 sysstat
    Multiple
vulnerabilities

Multiple vulnerabilities may allow an attacker to execute arbitrary code
or overwrite arbitrary files.

Gentoo advisory 4204

 
  4/7/2004 ipsec-tools
Key non-verification vulnerability
    Multiple
vulnerabilities

racoon (a utility in the ipsec-tools package) does not verify digital signatures
on Phase1 packets.

Gentoo advisory 4207

 
  4/7/2004 util-linux
Information leak vulnerability
    Multiple
vulnerabilities

Due to a pointer error, the 'login' program might leak sensitive information.


Gentoo advisory 4208

 
  4/7/2004 ClamAV
    Denial
of service vulnerability

ClamAV is vulnerable to a denial of service attack when processing certain
RAR archives.

Gentoo advisory 4209

 
  4/8/2004 Automake
    Symbolic
link vulnerability

Automake may be vulnerable to a symbolic link attack which may allow an
attacker to modify data or elevate their privileges.

Gentoo advisory 4210

 
 
Distribution: Mandrake
  4/6/2004 mplayer
    Buffer
overflow vulnerability

Exploitation could result in the execution of arbitrary code with the permissions
of the user.

Mandrake advisory 4202

 
  4/7/2004 fileutils/coreutils
Denial of service vulnerability
    Buffer
overflow vulnerability

'ls' can be made to segfault upon listing directories with large numbers
of files on an amd64 platform.

Mandrake advisory 4205

 
 
Distribution: Turbolinux
  4/7/2004 apache/httpd/libxml2/mod_python
Multiple vulnerabilities
    Buffer
overflow vulnerability

Many fixes for buffer overflows and DOS attacks.

Turbolinux advisory 4206

 

Category:

  • Security
Click Here!