January 9, 2004

Linux Advisory Watch - January 9, 2004

Author: Benjamin D. Thomas

This week, advisories were released for the Linux kernel, lftp, ethereal, screen, BIND, libnids, mpg321, nd, jabber, zebra, fsp, and vbox3. The distributors include Conectiva, Debian, Guardian Digital EnGarde Secure Linux, Fedora, Immunix, Mandrake, Openwall, Red Hat, Slackware, SuSE, Trustix, and Turbolinux.

One of the greatest indicators of unauthorized system activity is logging. However, in a compromise the integrity of logs often come into question. Depending on the extent of an attack, logs could have been deleted, modified, or flooded. More knowledgeable attackers possess the skills necessary to cover their tracks and make any forensic investigation
virtually impossible.

Those administrators who have external intrusion detection sensors will have some advantage and additional information to aid in an investigation, but nothing takes the place of accurate system logs. It is possible to have the best of both worlds by setting up an external logging server. Msyslog gives system administrators the ability to send syslog messages to an external database. Therefore, logs from multiple servers can reside on single hardened machine. This gives administrators the advantage of being able
to focus all of their efforts at a single location.

In addition to log integrity problems, often administrators are fed too much data. If logging is too verbose, real anomalies may easily be overlooked. Feeding all logs into a central database will also reduce this problem. Using additional software or SQL queries, it can potentially be easier to find correlations and anomalies in logs across multiple servers. Takeing it a step further, one could simply automate the log analysis process and only alert the administrator when there is a major problem.

Managing logs effectively is no easy task. Extracting information from Gigs of data is even more difficult. We have a very valuable resource at our fingertips. Start using your logs, they can give a remarkably clear picture of the state of a network.

More information on using syslog with MySQL and PHP can be found here.

Until next time, cheers!
Benjamin D. Thomas

Feature Extras:

Linux Security Effectively in 2004

- This article examines the process of proper Linux security management in
2004. First, a system should be hardened and patched. Next, a security routine
should be established to ensure that all new vulnerabilities are addressed.
Linux security should be treated as an evolving process.

OSVDB - An Independent and Open Source Vulnerability Database

- This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe

Distribution: Conectiva
  1/5/2004 kernel
escalation vulnerability

Paul Starzetz from iSEC Security Research reported another vulnerability
in the Linux memory management code which can be used by local attackers
to obtain root privileges or cause a denial of service condition (DoS).


  1/6/2004 lftp
overflow vulnerability

Ulf Hþrnhammar reported two buffer overflow vulnerabilities[3] in the lftp
program. An attacker could prepare a directory on a server which, if accessed
with a vulnerable lftp with the "ls" or "rels" command, could cause arbitrary
code to be executed on the client.


  1/7/2004 ethereal
of Service vulnerability

When reading crafted data, Ethereal will crash.


Distribution: Debian
  1/5/2004 ethereal
of service attack

A heap-based buffer overflow allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via the SOCKS dissector.


  1/5/2004 lftp
overflow vulnerability

An attacker could create a carefully crafted directory on a website so that
the execution of an 'ls' or 'rels' command would lead to the execution of
arbitrary code on the client machine.


  1/5/2004 screen
leak vulnerability

Timo Sirainen reported a vulnerability in screen, a terminal multiplexor
with VT100/ANSI terminal emulation, that can lead an attacker to gain group
utmp privledges.


  1/6/2004 BIND
poisoning vulnerability

A vulnerability was discovered in BIND, a domain name server, whereby a
malicious name server could return authoritative negative responses with
a large TTL (time-to-live) value, thereby rendering a domain name unreachable.
A successful attack would require that a vulnerable BIND instance submit
a query to a malicious nameserver.


  1/6/2004 libnids
overflow vulnerability

A vulnerability was discovered in libnids, a library used to analyze IP
network traffic, whereby a carefully crafted TCP datagram could cause memory
corruption and potentially execute arbitrary code with the privileges of
the user executing a program which uses libnids (such as dsniff).


  1/6/2004 mpg321
format string vulnerability

A vulnerability was discovered in mpg321, a command-line mp3 player, whereby
user-supplied strings were passed to printf(3) unsafely. This vulnerability
could be exploited by a remote attacker to overwrite memory, and possibly
execute arbitrary code.


  1/6/2004 nd
overflow vulnerability

Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface,
whereby long strings received from the remote server could overflow fixed-length
buffers. This vulnerability could be exploited by a remote attacker in control
of a malicious WebDAV server to execute arbitrary code if the server was
accessed by a vulnerable version of nd.


  1/6/2004 kernel
escalation vulnerability

Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux
kernel (present in version 2.2.x, 2.4.x and 2.6.x) which may allow a local
attacker to gain root privileges.


  1/7/2004 jabber
of Service vulnerability

A bug in the handling of SSL connections could cause the server process
to crash, resulting in a denial of service.


  1/7/2004 zebra
of Service vulnerability

Two vulnerabilities were discovered in zebra, both resulting in DoS.


  1/7/2004 fsp
overflow/Directory traversal vulns.

A remote user could both escape from the FSP root directory, and also overflow
a fixed-length buffer to execute arbitrary code.


  1/7/2004 kernel
    More for
Priv. Esc vulnerability

A flaw in bounds checking in mremap() in the Linux kernel may allow a local
attacker to gain root privileges.


  1/8/2004 vbox3
leak vulnerability

Root privileges were not properly relinquished before executing a user-supplied
tcl script.


Distribution: EnGarde
  1/5/2004 kernel
    bug and
security fixes.

This update fixes two security issues and one critical bug in the Linux
Kernel shipped with EnGarde Secure Linux.


Distribution: Fedora
  1/6/2004 kernel
escalation vulnerability

Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux
kernel versions 2.4.23 and previous which may allow a local attacker to
gain root privileges.


Distribution: Immunix
  1/6/2004 kernel
escalation vulnerability

Paul Starzetz has discovered a mishandled boundary condition in the mremap(2)
systemcall; Starzetz reports this vulnerability may be exploited by local
untrusted users to gain root privileges.


Distribution: Mandrake
  1/8/2004 kernel
escalation vulnerability

A flaw in bounds checking in mremap() in the Linux kernel may be used to
allow a local attacker to obtain root privilege.


Distribution: Openwall
  1/6/2004 kernel
escalation vulnerability

This vulnerability may allow any local user and any process to execute arbitrary
code with kernel privileges and thus gain root access.


Distribution: Red
  1/5/2004 kernel
escalation vulnerability

Updated kernel packages are now available that fix a security vulnerability
which may allow local users to gain root privileges.


  1/8/2004 ethereal
of Service vulnerabilities

By exploiting these two issues it may be possible to make Ethereal crash
by injecting an intentionally malformed packet


Distribution: Slackware
  1/7/2004 kernel
escalation vulnerability

There is a bounds-checking problem in the kernel's mremap() call which could
be used by a local attacker to gain root privileges.


Distribution: Suse
  1/5/2004 kernel
escalation vulnerability

By exploiting an incorrect bounds check in do_mremap() during the remapping
of memory it is possible to create a VMA with the size of 0.


Distribution: Trustix
  1/5/2004 kernel
escalation vulnerability

The kernel packages prior to this update suffers from a bug in the mremap
function. This issue is fixed in this update. We have also fixed some minor
bugs in the structure of the packages.


Distribution: Turbolinux
  1/6/2004 kernel
escalation vulnerability

The local users may be able to gain root privileges.


Click Here!