March 11, 2005

Linux Advisory Watch - March 11, 2005

Author: Benjamin D. Thomas

This week, advisories were released for clamav, kernel, squid, kppp,
helixplayer, tzdata, libtool, firefox, ipsec-tools, dmraid, gaim,
libexif, gimp, yum, grip, libXpm, xv, ImageMagick, Hashcash, mlterm,
dcoidlng, curl, gftp, cyrus-imapd, unixODBC, and mc. The distributors
include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and
SuSE.STRATEGIES AND COUNTERMEASURES
By: Raymond Ankobia

This discusses strategies and countermeasures that will help
alleviate threats and vulnerabilities commonly found in web
application development.

3.1 Security Management Programs

A security policy drafted and implemented from a holistic viewpoint
with full approval of senior executives. There must be security
education and awareness campaigns for the development team and
administrators to foster a secure development lifecycle. Policies
will ensure secure configuration of web servers and back end databases.
Key amongst education campaigns is social engineering [8][7] where
the attacker deceitfully extracts information directly from authorized
people.

3.2 Deployment of Application Firewalls

This is a fairly new concept
that offers use of gateways that specifically operate at the
application layer. These are stateful, intelligent and content
driven programmes/appliances that operate by checking web content.
This allows for evaluation of attack signatures and exploits and
prevents them from impacting on the targets. They look out and allow
legitimate requests of users to reach the backend servers and
databases whilst preventing, logging and alerting administrators of
malicious activities. Even though these may be able to do a far better
job of analysing application content including graphics, they
are not a panacea and the battle is far from over. Malicious and
encrypted content will still get through firewalls [6].

3.3 Using SSL/TLS (HTTPS) Protocol

SSL/TLS has become the de-facto protocol for deploying secure web
applications running on HTTP. It is based on Public Key Technology
and X509 certificates, and defined by the Internet Engineering Task
Force (IEFT) RFC 2246. This is supported in most web browsers and
provides a secure tunnel between the client and the server. The server
side almost always authenticates to the client by making available its
public key to the client for verification; thereby offering a mechanism
to identify rogue servers that impersonate by spoofing IP addresses
with wrong DNS entries [8][7].

In most situations, the client side authentication is optional. This is
due largely to the overhead of requiring every client to have a public
key. This provides confidentiality, integrity and authenticity of
transactions between both ends of the traffic. However, it must be
emphasised that hackers concentrate on attacking the endpoints';
poor deployment and implementation of applications and databases make
easy break-ins.

Poor implementation of a secure protocol does not make it any better.
Attention to detailed instructions from these specifications is
imperative to get it right.

3.4 Sandboxing and Code Signing

This idea for using sandboxes and signing of code (especially mobile
code) is to introduce trust and assurance to the end user as to the
origin of the application in question. Sandboxes are restricted and
non-privileged operating environments [2][1]. Java Applets use this
approach by encapsulating permissions and rights to resources within
the programme itself.

This provides a safer environment as the Java Virtual Machine (embedded
in most browsers) consults the security manager for any violations or
privileged system calls that may compromise the local computer. The
author of a code may digitally sign it to give some authenticity and
confidence to the end user; allowing that signature to be publicly
verified using a certified public directory.

Authenticode is the approach by Microsoft for digitally signing code
to provide trust and authenticity of origin. Developers of ActiveX
controls/programmes may likewise sign the code to give similar level
of trust and authenticity. However, discretion is left entirely to the
user to check the authenticity of the digital signatures. [2] Clearly
declares, "A digital signature does not, however, provide any guarantee
of benevolence or competence". The Sandboxing (by Sun Microsystems)
approach offers better assurance since it comes with a built-in
security reference monitor that checks the access controls of the
objects. These architectures are designed with Public Key Infrastructure
(PKI) in mind and require education and awareness programmes on key
management and certification authorities.

3.5 Use of Honeypots

These are used to lure potential crackers / hackers. The principle is
one of falsifying information and placing it where hackers will
eventually find it. The original concept seem to have come from [9]
where he managed to bait hackers with falsified information which
eventually led to their capture. This allows for the footprints of
malicious activities to be logged, monitored and analysed. They help
analyse the weak points that may are exposed with subsequent
introduction of countermeasures that will seal any weaknesses that
may be exploited. Use of this technology does have some legal
implications. There is a debate as to whether this is enticement or
entrapment and may require legal interpretation before use.

3.6 Using SiteDigger

This is a tool developed by Foundstone Professional Services to help
web application developers and administrators test the efficacy of
security measures incorporated during design. It works in conjunction
with certain API's which will need to be downloaded from Google's
website (http://www.google.com/apis/). This tool will help the web application developer or administrator to scan and generate reports
of any leakages on a particular website.

3.7 ISO/IEC 17799 (Part I)

This was originally a British code of practice for Information
Security Management and was later adopted by ISO as a Standard [5].
This has many facets for compliance and one of them is Systems
Development and Maintenance. Part II of this, is for accreditation (currently being vetted by ISO for standardisation).

It engages the certifying party through a rigorous compliance
process, which includes the integration of controls and audit trails
built into application systems. It encourages stringent checks and
controls, Input data validation, message authentication to guard
against unauthorised changes, output validation to ensure correct
input and processing (the old adage "Garbage In, Garbage out), and
the use of cryptographic controls to protect the confidentiality
and integrity of information.

It also envisages strict and secure change control procedures
and principle of least principle, by making sure that support
developers are only given access to areas of their domain.

3.8 Security Audit

Self-Hack Audit [1]. The self-hack audit is an approach that uses
methodology used by developers to identify and eliminate security
weaknesses in an application before they are discovered and
compromised. This will include checking login prompts, brute forcing
passwords and setting up limits for login attempts. Penetration
Testing. Particular mention is made of The Open Web Application
Security Project (OWASP), which is an Open source platform used as
a benchmark for testing web application vulnerabilities.

Read Entire Article:
http://www.linuxsecurity.com/content/view/118427/49/

 

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions
- Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I'll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection

- To be honest, this was one of the best books that I've read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts
- Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn't have a "ps -ef" loop running in an attempt to capture
that sensitive info (though some applications mask passwords in "ps" output).

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline
.


   Conectiva
  Conectiva: clamav Fix for denial of service
in clamav
  3rd, March, 2005

Clamav[1] is an anti-virus utility for Unix/Linux. This announcement
updates clamav so it is able to update its database from the server without
any problems related to its format and also because it fixes a security
issue which could lead to a denial of service[2] situation.

http://www.linuxsecurity.com/content/view/118480

 
  Conectiva: kernel Kernel fixes
  7th, March, 2005

The Linux kernel is responsible for handling the basic functions
of the GNU/Linux operating system. This announcement has the following
important changes.

http://www.linuxsecurity.com/content/view/118518

 
  Conectiva: squid Fixes for multiple squid
vulnerabilities
  8th, March, 2005

Squid[1] is a full-featured web proxy cache. This announcement
fixes the following vulnerabilities for Squid.

http://www.linuxsecurity.com/content/view/118533

 
   Debian
  Debian: New abuse packages fix local
root exploit
  7th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118514

 
  Debian: New kppp packages fix privileged
file descriptor leak
  8th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118534

 
   Fedora
  Fedora Core 3 Update: HelixPlayer-1.0.3-3.fc3
  3rd, March, 2005

Updated HelixPlayer packages that fixes two buffer overflow
issues are now available.

http://www.linuxsecurity.com/content/view/118479

 
  Fedora Core 3 Update: tzdata-2005f-1.fc3
  3rd, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118484

 
  Fedora Core 2 Update: tzdata-2005f-1.fc2
  3rd, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118485

 
  Fedora Core 2 Update: kernel-2.6.10-1.770_FC2
  3rd, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118486

 
  Fedora Core 3 Update: kernel-2.6.10-1.770_FC3
  3rd, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118487

 
  Fedora Core 3 Update: libtool-1.5.6-4.FC3.1
  4th, March, 2005

Libtool is a program used by many other programs to create static
and dynamic libraries using a portable interface. Libtool is generally
configured as part of every package that uses it.

http://www.linuxsecurity.com/content/view/118488

 
  Fedora Core 3 Update: firefox-1.0.1-1.3.2
  4th, March, 2005

Some users may experience spacing issues in textareas. This
update resolves those issues, updating to the latest version of the pango
selection patch.

http://www.linuxsecurity.com/content/view/118499

 
  Fedora Core 2 Update: ipsec-tools-0.5-0.fc2
  4th, March, 2005

This updates ipsec-tools to 0.5, which correctly generates forward
policies so that tunnels work on current kernels.

http://www.linuxsecurity.com/content/view/118507

 
  Fedora Core 3 Update: ipsec-tools-0.5-0.fc3
  4th, March, 2005

This updates ipsec-tools to 0.5, which correctly generates forward
policies so that tunnels work on current kernels.

http://www.linuxsecurity.com/content/view/118508

 
  Fedora Core 3 Update: dmraid-1.0.0.rc6-1_FC3
  7th, March, 2005

This updates dmraid to 1.0.0.rc6, which includes support for
VIA ATARAID sets.

http://www.linuxsecurity.com/content/view/118515

 
  Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.85
  7th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118517

 
  Fedora Core 2 Update: ipsec-tools-0.5-1.fc2
  7th, March, 2005

This update fixes some packaging errors: - the /var/racoon directory
is shipped, for use with the admin port - racoon correctly looks for its
config file in /etc/racoon now

http://www.linuxsecurity.com/content/view/118520

 
  Fedora Core 3 Update: ipsec-tools-0.5-1.fc3
  7th, March, 2005

This update fixes some packaging errors: - the /var/racoon directory
is shipped, for use with the admin port - racoon correctly looks for its
config file in /etc/racoon now

http://www.linuxsecurity.com/content/view/118521

 
  Fedora Core 2 Update: gaim-1.1.4-1.FC2
  7th, March, 2005

This fixes the crash in the Gadu Gadu protocol, and makes Yahoo
file transfer and buddy icons work for the more common non-proxy case.
Unfortunately this probably breaks the less common proxy case.

http://www.linuxsecurity.com/content/view/118526

 
  Fedora Core 3 Update: gaim-1.1.4-1.FC3
  7th, March, 2005

This fixes the crash in the Gadu Gadu protocol, and makes Yahoo
file transfer and buddy icons work for the more common non-proxy case.
Unfortunately this probably breaks the less common proxy case.

http://www.linuxsecurity.com/content/view/118527

 
  Fedora Core 2 Update: libexif-0.5.12-2.2
  8th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118535

 
  Fedora Core 3 Update: libexif-0.5.12-3.1
  8th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118536

 
  Fedora Core 3 Update: gimp-2.2.4-0.fc3.1
  8th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118537

 
  Subject: Fedora Core 3 Update: yum-2.2.0-0.fc3
  8th, March, 2005

New yum release fixes multiple small bugs.

http://www.linuxsecurity.com/content/view/118538

 
  Fedora Core 3 Update: grip-3.2.0-4
  9th, March, 2005

This fixes a buffer overflow when the CDDB server returns more
than 16 matches.

http://www.linuxsecurity.com/content/view/118543

 
  Fedora Core 2 Update: grip-3.2.0-3.fc2
  9th, March, 2005

This fixes a buffer overflow when the CDDB server returns more
than 16 matches.

http://www.linuxsecurity.com/content/view/118544

 
   Gentoo
  Gentoo: BidWatcher Format string vulnerability
  3rd, March, 2005

BidWatcher is vulnerable to a format string vulnerability, potentially
allowing arbitrary code execution.

http://www.linuxsecurity.com/content/view/118483

 
  Gentoo: OpenMotif, LessTif New libXpm
buffer overflows
  4th, March, 2005

A new vulnerability has been discovered in libXpm, which is
included in OpenMotif and LessTif, that can potentially lead to remote
code execution.

http://www.linuxsecurity.com/content/view/118493

 
  Gentoo: xv Filename handling vulnerability
  4th, March, 2005

xv contains a format string vulnerability, potentially resulting
in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118497

 
  Gentoo: Mozilla Firefox Various vulnerabilities
  4th, March, 2005

Mozilla Firefox is vulnerable to a local file deletion issue
and to various issues allowing to trick the user into trusting fake web
sites or interacting with privileged content.

http://www.linuxsecurity.com/content/view/118498

 
  Gentoo: ImageMagick Filename handling
vulnerability
  6th, March, 2005

A format string vulnerability exists in ImageMagick that may
allow an attacker to execute arbitrary code.

http://www.linuxsecurity.com/content/view/118509

 
  Gentoo: Hashcash Format string vulnerability
  6th, March, 2005

A format string vulnerability in the Hashcash utility could
allow an attacker to execute arbitrary code.

http://www.linuxsecurity.com/content/view/118510

 
  Gentoo: mlterm Integer overflow vulnerability
  7th, March, 2005

mlterm is vulnerable to an integer overflow, which could potentially
allow the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118516

 
  Gentoo: KDE dcopidlng Insecure temporary
file creation
  7th, March, 2005

The dcopidlng script is vulnerable to symlink attacks, potentially
allowing a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/118519

 
   Mandrake
  Mandrake: Updated curl packages fix
  4th, March, 2005

"infamous41md" discovered a buffer overflow vulnerability in
libcurl's NTLM authorization base64 decoding. This could allow a remote
attacker using a prepared remote server to execute arbitrary code as the
user running curl. The updated packages are patched to deal with these
issues.

http://www.linuxsecurity.com/content/view/118500

 
  Mandrake: Updated gaim packages fix
  4th, March, 2005

Gaim versions prior to version 1.1.4 suffer from a few security
issues such as the HTML parses not sufficiently validating its input.
This allowed a remote attacker to crash the Gaim client be sending certain
malformed HTML messages (CAN-2005-0208 and CAN-2005-0473).

http://www.linuxsecurity.com/content/view/118501

 
  Mandrake: Updated gftp packages fix
  4th, March, 2005

A vulnerability in gftp could allow a malicious FTP server to
overwrite files on the local system as the user running gftp due to improper
handling of filenames containing slashes. The updated packages are patched
to deal with these issues.

http://www.linuxsecurity.com/content/view/118502

 
  Mandrake: Updated cyrus-imapd packages
  4th, March, 2005

Several overruns have been fixed in the IMAP annote extension
as well as in cached header handling which can be run by an authenticated
user. As well, additional bounds checking in fetchnews was improved to
avoid exploitation by a peer news admin.

http://www.linuxsecurity.com/content/view/118503

 
  Mandrake: Updated imap packages include
  4th, March, 2005

The imap package was missing a requires for xinetd, which is
required for using the daemon. Updated packages include this requirement.

http://www.linuxsecurity.com/content/view/118504

 
  Mandrake: Updated kdegraphics packages
  4th, March, 2005

Previous updates to correct integer overflow issues affecting
xpdf overlooked certain conditions when built for a 64 bit platform. (formerly
CAN-2004-0888). This also affects applications like kdegraphics, that
use embedded versions of xpdf. (CAN-2005-0206)

http://www.linuxsecurity.com/content/view/118505

 
  Mandrake: Updated unixODBC packages
  4th, March, 2005

The unixODBC packages shipped with Mandrakelinux 10.1 had a
couple of issues with the GUI config tools: The gtk interface gODBCConfig
does not exit when it's window is closed.

http://www.linuxsecurity.com/content/view/118506

 
  Mandrake: Updated dynamic packages
  8th, March, 2005

Dynamic did not launch kaffeine on insertion of a DVD vide when
using KDE as the desktop. The updated version now launches kaffeine.

http://www.linuxsecurity.com/content/view/118528

 
   Red
Hat
  RedHat: Moderate: squid security update
  3rd, March, 2005

Updated squid packages that fix a denial of service issue are
now available. This update has been rated as having important security
impact by the Red Hat Security Response Team

http://www.linuxsecurity.com/content/view/118476

 
  RedHat: Low: kdenetwork security update
  3rd, March, 2005

Updated kdenetwork packages that fix a file descriptor leak
are now available. This update has been rated as having low security impact
by the Red Hat Security Response Team

http://www.linuxsecurity.com/content/view/118477

 
  RedHat: Critical: RealPlayer security
update
  3rd, March, 2005

An updated RealPlayer package that fixes two buffer overflow
issues is now available. This update has been rated as having critical
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118478

 
  RedHat: Critical: HelixPlayer security
update
  3rd, March, 2005

An updated HelixPlayer package that fixes two buffer overflow
issues is now available. This update has been rated as having critical
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118481

 
  RedHat: Important: xpdf security update
  4th, March, 2005

An updated xpdf package that correctly fixes several integer
overflows is now available. This update has been rated as having important
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118489

 
  RedHat: Moderate: mc security update
  4th, March, 2005

Updated mc packages that fix multiple security issues are now
available. This update has been rated as having moderate security impact
by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118490

 
  RedHat: Critical: mozilla security update
  4th, March, 2005

Updated mozilla packages that fix a buffer overflow issue are
now available. This update has been rated as having critical security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118491

 
   SuSE
  SuSE: cyrus-sasl remote code execution
  3rd, March, 2005

A buffer overflow in the digestmda5 code was identified that
could lead to a remote attacker executing code in the context of the service
using sasl authentication.

http://www.linuxsecurity.com/content/view/118472

 
  SuSE: RealPlayer remote buffer overflow
  9th, March, 2005

Two security problems were found in the media player RealPlayer.

http://www.linuxsecurity.com/content/view/118542

 
Click Here!