December 5, 2003

Linux Advisory Watch - December 5th 2003

Author: Benjamin D. Thomas

This week, there are several serious vulnerabilities that need to be addressed. Advisories were released for bind, rsync, the Linux kernel, xboard, and gnupg. The distributions include Caldera, Conectiva, Debian, Guardian Digital's EnGarde Secure Linux, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, Slackware, SuSE, Trustix, Turbolinux, and Yellow Dog Linux.

When will it end? Last week,
the biggest news was the Debian server compromise. After some analysis, it was
found that the vulnerability used to compromise those systems also affects nearly
all other Linux distributions. After you got your systems patched and thought
it was safe to let your guard down, a serious remote rsync vulnerability was made
public. What will it be next week, or next month? No one can predict when bugs
or exploits will surface, but the there is one constant in all of this. Vulnerabilities
will continue to be uncovered.

Although it is now cliche that 'security
is a process, not a product,' the events in the last few week further emphasize
this point. By now, it should be apparent that many of the systems that we are
using will never be bug free. Expect them, and expect them often! The most important
advice that anyone can give is, be prepared. What is preparation? Security must
be a normal business process. For example, servers should be patched at a consistent
interval, a testing environment should be used to ensure that patches do not
negatively affect production servers, and someone in the organization should
have the responsibility of monitoring news sources looking for particular harmful
vulnerabilities. For example, if your organization chooses to patch the servers
every Tuesday and Friday, but last Monday you were notified that updates were
available for the Kernel, a special consideration should have then been made.

Similarly, there should be processes
in the organization for the review of security policies, firewall rules, access
control lists, etc. All protection mechanisms should be reviewed by more than
one person on a consistent basis. The sooner that we can get out of the 'firefighter'
mentality and approach security as a pure business process, the sooner we will
achieve an appropriate level of protection. This week, take time to review the
security processes in your organization. Is there a reason for every action
taken? When will your servers be updated again? When was the last time we reviewed
the accounts on the system?

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity
Feature Extras:

Guardian
Digital Launches the First Secure Small Business Internet Productivity Solution

- Guardian Digital, the world's premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.

OpenVPN:
An Introduction and Interview with Founder, James Yonan

- In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

R00ting
The Hacker

- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
Archive
] - [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 
Distribution: Caldera
  12/1/2003 Bind
    cache
poisoning vulnerability

BIND is an implementation of the Domain Name System (DNS) protocols. Successful
exploitation of this vulnerability may result in a temporary denial of service.

http://www.linuxsecurity.com/advisories/caldera_advisory-3826.html

 
 
Distribution: Conectiva
  12/4/2003 rsync
    heap buffer
overflow

rsync versions prior to 2.5.7 have a heap buffer overflow vulnerability[2]
which can be exploited by remote attackers to execute arbitrary code.

http://www.linuxsecurity.com/advisories/conectiva_advisory-3843.html

 
 
Distribution: Debian
  12/1/2003 Kernel
    vulnerability
in brk()

Recently multiple servers of the Debian project were compromised using a
Debian developers account and an unknown root exploit. Forensics revealed
a burneye encrypted exploit. Robert van der Meulen managed to decrypt the
binary which revealed a kernel exploit. Using this bug it is possible for
a userland program to trick the kernel into giving access to the full kernel
address space.

http://www.linuxsecurity.com/advisories/debian_advisory-3824.html

 
  12/4/2003 Rsync
    heap overflow
vulnerability

While this heap overflow vulnerability could not be used by itself to obtain
root access on an rsync server, it could be used in combination with the
recently announced do_brk() vulnerability in the Linux kernel to produce
a full remote compromise.

http://www.linuxsecurity.com/advisories/debian_advisory-3839.html

 
 
Distribution: EnGarde
  12/4/2003 'rsync'
heap overflow vulnerability
    heap overflow
vulnerability

A heap overflow vulnerability has been discovered in all versions of rsync
prior to 2.5.7. This vulnerability, exploitable when rsync is being run
in "server mode", may allow the attacker to run arbitrary code on the compromised
server.

http://www.linuxsecurity.com/advisories/engarde_advisory-3840.html

 
 
Distribution: Fedora
  12/3/2003 Kernel
    crash
vulnerability

The kernel shipped with Fedora Core 1 was vulnerable to a bug in the error
return on a concurrent fork() with threaded exit() which could be exploited
by a user level program to crash the kernel.

http://www.linuxsecurity.com/advisories/fedora_advisory-3831.html

 
  12/4/2003 rsync
    heap overflow
vulnerability

A heap overflow bug exists in rsync versions prior to 2.5.7. On machines
where the rsync server has been enabled, a remote attacker could use this
flaw to execute arbitrary code as an unprivileged user.

http://www.linuxsecurity.com/advisories/fedora_advisory-3844.html

 
  12/4/2003 Xboard
    predictable
file-write exploit

XBoard 4.2.6 and older contains a script which writes to a file in /tmp
with a predictable filename. Malicious users could use this vulnerability
to force XBoard users to overwrite any file writable by them.

http://www.linuxsecurity.com/advisories/fedora_advisory-3846.html

 
 
Distribution: FreeBSD
  11/29/2003 Bind
    Negative-cache
DOS vulnerability

An attacker may arrange for malicious DNS messages to be delivered to a
target name server, and cause that name server to cache a negative response
for some target domain name. The name server would thereafter respond negatively
to legitimate queries for that domain name, resulting in a denial-of-service
for applications that require DNS.

http://www.linuxsecurity.com/advisories/freebsd_advisory-3820.html

 
 
Distribution: Gentoo
  12/4/2003
Rsync heap overflow vulnerability
    Negative-cache
DOS vulnerability

Rsync version 2.5.6 contains a vulnerability that can be used to run arbitrary
code. The Gentoo infrastructure team has some reasonably good forensic evidence
that this exploit may have been used in combination with the Linux kernel
brk vulnerability (see GLSA 200312-02) to exploit a rsync.gentoo.org rotation
server (see GLSA-200312-01.)

http://www.linuxsecurity.com/advisories/gentoo_advisory-3841.html

 
  12/4/2003 Kernel
    buffer
overflow vulnerability leading to root

Lack of proper bounds checking exists in the do_brk() kernel function in
Linux kernels prior to 2.4.23. This bug can be used to give a userland program
or malicious service access to the full kernel address space and gain root
privileges. This issue is known to be exploitable.

http://www.linuxsecurity.com/advisories/gentoo_advisory-3842.html

 
 
Distribution: Mandrake
  11/29/2003 GnuPG
    Serious
key vulnerability

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys for signing. This is a significant security failure which can lead
to a compromise of almost all ElGamal keys used for signing. Note that this
is a real world vulnerability which will reveal your private key within
a few seconds.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3821.html

 
  12/1/2003 Kernel
    buffer
overflow leading to root

A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous.
A flaw in bounds checking in the do_brk() function can allow a local attacker
to gain root privileges. This vulnerability is known to be exploitable;
an exploit is in the wild at this time.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3825.html

 
 
Distribution: Red
Hat
  12/1/2003 kernel
    Privilege
escalation vulnerability

Updated kernel packages are now available that fix a security vulnerability
leading to a possible privilege escalation.

http://www.linuxsecurity.com/advisories/redhat_advisory-3827.html

 
  12/2/2003 Net-SNMP
Unauthorized access vulnerability
    Privilege
escalation vulnerability

Updated Net-SNMP packages are available to correct a security vulnerability
and other bugs.

http://www.linuxsecurity.com/advisories/redhat_advisory-3828.html

 
  12/4/2003 rsync
    heap overflow

A heap overflow bug exists in rsync versions prior to 2.5.7. On machines
where the rsync server has been enabled, a remote attacker could use this
flaw to execute arbitrary code as an unprivileged user.

http://www.linuxsecurity.com/advisories/redhat_advisory-3845.html

 
 
Distribution: Slackware
  12/3/2003 Kernal
    buffer
overflow leading to root

New kernels are available for Slackware 9.1 and -current. These have been
upgraded to Linux kernel version 2.4.23, which fixes a bug in the kernel's
do_brk() function that could be exploited to gain root privileges.

http://www.linuxsecurity.com/advisories/slackware_advisory-3830.html

 
  12/4/2003 Rsync
    heap overflow
vulnerability

A security problem which may lead to unauthorized machine access or code
execution has been fixed by upgrading to rsync-2.5.7. This problem only
affects machines running rsync in daemon mode, and is easier to exploit
if the non-default option "use chroot = no" is used in the /etc/rsyncd.conf
config file.

http://www.linuxsecurity.com/advisories/slackware_advisory-3835.html

 
  12/4/2003 Rsync
    heap overflow
vulnerability

security problem which may lead to unauthorized machine access or code execution
has been fixed by upgrading to rsync-2.5.7. This problem only affects machines
running rsync in daemon mode, and is easier to exploit if the non-default
option "use chroot = no" is used in the /etc/rsyncd.conf config file.

http://www.linuxsecurity.com/advisories/slackware_advisory-3838.html

 
 
Distribution: SUSE
  11/29/2003 BIND
    Negative
cache vulnerability and many others

The BIND8 code is vulnerable to a remote denial-of-service attack by poisoning
the cache with authoritative negative responses that should not be accepted
otherwise. To execute this attack a name-server needs to be under malicious
control and the victim's bind8 has to query this name-server.

http://www.linuxsecurity.com/advisories/suse_advisory-3822.html

 
 
Distribution: SuSE
  12/3/2003 GnuPG
    multiple
vulnerabilities

Two independent errors have been found in gpg (GnuPG) packages as shipped
with SUSE products: A) A format string error in the client code that does
key retrieval from a (public) key server B) A cryptographic error in gpg
that results in a compromise of a cryptographic keypair if ElGamal signing
keys have been used for generating the key.

http://www.linuxsecurity.com/advisories/suse_advisory-3832.html

 
  12/4/2003 Kernel
    local
root exploit

This security update fixes a serious vulnerability in the Linux kernel.
A missing bounds check in the brk() system call allowed processes to request
memory beyond the maximum size allowed for tasks, causing kernel memory
to be mapped into the process' address space. This allowed local attackers
to obtain super user privileges.An exploit for this vulnerability is circulating
in the wild, and has been used to compromise OpenSource development servers.

http://www.linuxsecurity.com/advisories/suse_advisory-3836.html

 
  12/4/2003 Rsync
    heap overflow
vulnerability

Due to insufficient integer/bounds checking in the server code a heap overflow
can be triggered remotely to execute arbitrary code. This code does not
get executed as root and access is limited to the chroot environment. The
chroot environment maybe broken afterwards by abusing further holes in system
software or holes in the chroot setup.

http://www.linuxsecurity.com/advisories/suse_advisory-3837.html

 
 
Distribution: Trustix
  11/28/2003 bind
    Cache
poisoning vulnerability

A vulnerability has been found in BIND that ".. allows an attacker to conduct
cache poisoning attacks on vulnerable name servers by convincing the servers
to retain invalid negative responses."

http://www.linuxsecurity.com/advisories/trustix_advisory-3819.html

 
  12/1/2003 Kernel
    buffer
overflow leading to root

This update fixes an issue related to bounds checking in the do_brk() function
in the Linux kernel versions 2.4.22 and previous. This issue is known to
be exploitable gaining root privileges.

http://www.linuxsecurity.com/advisories/trustix_advisory-3823.html

 
  12/4/2003 rsync
    heap overflow
vulnerability

All versions of rsync prior to 2.5.7 contains a heap overflow that can be
used to exceute arbitary code remotely.

http://www.linuxsecurity.com/advisories/trustix_advisory-3833.html

 
 
Distribution: Turbolinux
  11/28/2003 Multiple
    package
updates

fileutils, fetchmail, postgresql, cups, and ethereal have been updated to
address security vulnerabilities.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-3818.html

 
  12/3/2003 Kernal
    buffer
overflow leading to root

The kernel package contains the Linux kernel (vmlinuz), the core of your
Linux operating system.A flaw in bounds checking in the do_brk() function
in the Linux. The local users may be able to gain root privileges.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-3829.html

 
 
Distribution: Yellow
Dog
  12/4/2003 Kernal
    buffer
overflow leading to root

A flaw in bounds checking in the do_brk() function in the Linux kernel versions
2.4.22 and previous can allow a local attacker to gain root privileges.
This issue is known to be exploitable; an exploit has been seen in the wild
that takes advantage of this vulnerability.

http://www.linuxsecurity.com/advisories/yellowdog_advisory-3834.html

 

Category:

  • Security
Click Here!