Author: Benjamin D. Thomas
log2mail, kernel, lha, postgresql, cvs, cups, squirrelmail, squid, tla, Ethereal,
tripwire, sitecopy, mailman, apache, mdkonline, xpcd, mod_ssl, ksymoops, and
kerberos5. The distributors include Debain, Fedora, FreeBSD, Gentoo, Mandrake,
NetBSD, OpenBSD, Red Hat, Slackware, SuSE, Trustix, and Turbo Linux.
Unnecessary Software
Each week system administrators
are inundated by hundreds of vendor advisories for every type of software imaginable.
From time to time the patches are critical from a security perspective, but
on other occasions they are merely a fix to a known bug. It is advisable to
update all software on a consistent basis so that a bug in software does not
result in a system vulnerability.
Unfortunately because of the great
number of advisories each week, it could be a full time job applying them. Applying
10 patches to 30 servers could possibly take days if an automated process isn’t
used. Everyone would agree, this is poor utilization of resources.
There are several solutions to the
problem. First, it is often a good idea to choose a specialized distribution,
or spend time configuring a broad one. For example, those building a Web server
should choose a distribution such as EnGarde Linux that has already been optimized
and secured to perform these services. If an administrator wishes to use a distribution
such as Debian, it is important that the necessary time is take to remove everything
not in use. For example, there is no need for a Web server to have a compiler,
X-windows, or games. This option requires system expertise, but is feasible.
No matter what system is installed,
it will almost always be the case that at least some unnecessary software is
installed on it. On an RPM based system, it can be removed with the following
command: /bin/rpm -e <packagename> Removing unnecessary software
can potentially reduce administration work load. There will no longer be a need
to keep that software up-to-date, and it no longer has the potential to turn
into a vulnerability.
It should be a priority to remove
unnecessary setuid/setgid binaries. Vulnerabilities in these can often lead
to root compromise, so they should only be used when necessary. To find setuid/setgid
binaries on a system, simply use the following command: find / -type f -perm
+6000 Remove each that is not in use and it can greatly reduce the risk
of compromise.
Until next time, cheers!
Benjamin D. Thomas
Editor LinuxSecurity.com
LinuxSecurity
Feature Extras:
Interview
with Brian Wotring, Lead Developer for the Osiris Project
– Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc. He is also the founder of knowngoods.org,
an online database of known good file signatures. Brian is the co-author of
Mac OS X Security and a long-standing member of the Shmoo Group, an organization
of security and cryptography professionals.Guardian
Digital Launches Next Generation Secure Mail Suite – Guardian
Digital, the premier open source security company, announced the availability
of the next generation Secure Mail Suite, the industry’s most secure open
source corporate email system. This latest edition has been optimized to support
the changing needs of enterprise and small business customers while continually
providing protection from the latest in email security threats.Linux
and National Security – As the open source industry
grows and becomes more widely accepted, the use of Linux as a secure operating
system is becoming a prominent choice among corporations, educational institutions
and government sectors. With national security concerns at an all time high,
the question remains: Is Linux secure enough to successfully operate the government
and military’s most critical IT applications?[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability. [ Subscribe
]
Distribution: | Debian | ||
6/8/2004 | gatos | ||
Privilege escalation vulnerability If initialization fails due to a missing configuration file, root privileges |
|||
6/8/2004 | jftpgw | ||
Format string vulnerability A remote user could potentially cause arbitrary code to be executed with |
|||
6/8/2004 | ethereal | ||
Buffer overflow vulnerabilities Several buffer overflow vulnerabilities were discovered in ethereal. |
|||
6/8/2004 | gallery | ||
Unauthenticated access A remote attacker could gain access to the gallery “admin” user without |
|||
6/8/2004 | rsync | ||
Directory traversal vulnerability A remote user could cause an rsync daemon to write files outside of the |
|||
6/8/2004 | log2mail | ||
Format string vulnerability Exploit could cause arbitrary code to be executed with the privileges of |
|||
6/8/2004 | kernel | ||
2.2.20 Privilege escalation vulnerability Due to flushing the TLB too early it is possible for an attacker to trigger |
|||
6/8/2004 | lha | ||
Multiple vulnerabilities Fixes multiple buffer overflows and multiple directory traversal vulnerabilities. |
|||
6/8/2004 | postgresql | ||
Denial of service vulnerability It possible to exploit this problem and crash the surrounding application. |
|||
6/10/2004 | cvs | ||
Buffer overflow vulnerability Derek Robert Price discovered a potential buffer overflow vulnerability |
|||
Distribution: | Fedora | ||
6/8/2004 | cups | ||
Non-encryption vulnerability Among other bugs, this fixes a failure to use encryption when required. |
|||
6/8/2004 | ethereal | ||
Multiple vulnerabilies This patch fixes three DoS vulns and a buffer overflow. |
|||
6/8/2004 | net-tools Excessive privilege vulnerability |
||
Multiple vulnerabilies netlink_listen & netlink_receive_dump should both check the source of the |
|||
6/8/2004 | krb5 | ||
Multiple buffer overflows Exploitation could lead to denial of service or arbitrary code execution. |
|||
6/10/2004 | squirrelmail | ||
Multiple vulnerabilities Patch fixes a SQL injection and cross-site scripting flaw. |
|||
6/10/2004 | squid | ||
Buffer overflow vulnerability A remotely-exploitable buffer overflow allows the execution of arbitrary |
|||
Distribution: | FreeBSD | ||
6/8/2004 | kernel | ||
Excessive privilege vulnerability Jailed processes can manipulate host routing tables. |
|||
Distribution: | Gentoo | ||
6/8/2004 | tla | ||
Heap overflow vulnerability This vulnerability could allow execution of arbitrary code with the rights |
|||
6/8/2004 | MPlayer, xine-lib Multiple vulnerabilities |
||
Heap overflow vulnerability A remote attacker, posing as a RTSP stream server, can execute arbitrary |
|||
6/8/2004 | Ethereal | ||
Multiple vulnerabilities Exploitation may allow an attacker to run arbitrary code or crash the program. |
|||
6/8/2004 | tripwire | ||
Format string vulnerability Attacker could cause execution of arbitrary code with permissions of the |
|||
6/8/2004 | sitecopy | ||
Multiple vulnerabilities When connected to a malicious WebDAV server, these vulnerabilities could |
|||
6/10/2004 | Mailman | ||
Password leak Mailman contains a bug allowing 3rd parties to retrieve member passwords. |
|||
6/10/2004 | apache | ||
Buffer overflow vulnerability A bug in mod_ssl may allow a remote attacker to execute remote code when |
|||
6/10/2004 | cvs | ||
Multiple vulnerabilities Several serious new vulnerabilities have been found in CVS, which may allow |
|||
Distribution: | Mandrake | ||
6/8/2004 | mdkonline | ||
Squid incompatability Though not a security problem per se, this is important to any who use Mandrake |
|||
6/8/2004 | xpcd | ||
Buffer overflow vulnerability Problem could be exploited by a local attacker to obtain root privileges. |
|||
6/8/2004 | mod_ssl | ||
Buffer overflow vulnerability A remote attacker may be able to execute arbitrary code via a client certificate |
|||
6/8/2004 | apache2 | ||
Buffer overflow vulnerability When mod_ssl is configured to trust the issuing CA, a remote attacker may |
|||
6/8/2004 | krb5 | ||
Buffer overflow vulnerabilities This could lead to root privileges, though it requires successfull authentication |
|||
6/8/2004 | tripwire | ||
Format string vulnerability Exploit could allow a local user to execute arbitrary code with the rights |
|||
6/10/2004 | krb5 | ||
Patch fix The original patch provided contained a bug where rule-based entries on |
|||
6/10/2004 | mdkonline | ||
Patch fix The previous update did not parse noarch packages, and new archs have been |
|||
6/10/2004 | cvs | ||
Multiple vulnerabilities This patch addresses four seperate security issues with cvs. |
|||
6/10/2004 | squid | ||
Buffer overflow vulnerability This buffer overflow can be exploited by a remote attacker by sending an |
|||
6/10/2004 | ksymoops | ||
Insecure temporary file vulnerability The script fails to do proper checking when copying a file to the /tmp directory. |
|||
Distribution: | NetBSD | ||
6/8/2004 | cvs | ||
Heap overflow vulnerabilities CVS had heap overflow vulnerabilities which can be trigged remotely by malicious |
|||
Distribution: | OpenBSD | ||
6/10/2004 | cvs | ||
Multiple vulnerabilities While no exploits are known to exist for these bugs under OpenBSD at this |
|||
Distribution: | Red Hat |
||
6/8/2004 | cvs | ||
Denial of service vulnerabilities Updated cvs packages that fix remote denial of service vulnerabilities are |
|||
6/9/2004 | Ethereal | ||
Multiple vulnerabilities Patch fixes a buffer overflow plus several denail of service vulnerabilities |
|||
6/9/2004 | krb5 | ||
Buffer overflow vulnerabilities Updated Kerberos 5 (krb5) packages which correct buffer overflows in the |
|||
6/9/2004 | squid | ||
Buffer overflow vulnerability If Squid is configured to use the NTLM authentication helper, a remote attacker |
|||
6/9/2004 | cvs | ||
Multiple vulnerabilities This patch resolves many outstanding vulnerabilities of cvs. |
|||
Distribution: | Slackware | ||
6/8/2004 | mod_ssl | ||
Buffer overflow vulnerability May allow remote attackers to execute arbitrary code via a client certificate |
|||
6/8/2004 | php | ||
Insecure path vulnerability Exploitation of this issue requires a static library at an insecure path, |
|||
6/10/2004 | cvs | ||
Multiple vulnerabilities Resolves many vulnerabilities, including a buffer overflow. |
|||
Distribution: | Suse | ||
6/10/2004 | cvs | ||
Multiple vulnerabilities These bugs allow remote attackers to execute arbitrary code as the user |
|||
6/10/2004 | squid | ||
Buffer overflow vulnerability Squid is vulnerable to a buffer overflow that can be exploited remotely |
|||
Distribution: | Trustix | ||
6/8/2004 | apache | ||
Buffer overflow vulnerability Stack-based buffer overflow may allow remote attackers to execute arbitrary |
|||
6/8/2004 | kerberos5 | ||
Buffer overflow vulnerabilities Exploitation of these flaws requires an unusual combination of factors, |
|||
6/10/2004 | squid | ||
Buffer overflow vulnerability Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy |
|||
Distribution: | Turbolinux | ||
6/8/2004 | Multiple | ||