November 21, 2003

Linux Advisory Watch - November 21st 2003

Author: Benjamin D. Thomas

This week, advisories were
released for zebra, hylafax, minimalist, Glibc, XFree86, Sane, postgresql, and
apache. The distributors include Conectiva, Debian, Mandrake, RedHat, SuSE, and
Trustix.One of the
more powerful and cutting edge technologies in security today is honeypots. Those
who have a need for better network monitoring and increased intrusion detection
capabilities should find value in their usage. The concept of honeypots has been
around for many years, but until recently they haven't had much widespread use.
More recently, research has been done to precisely define what honeypots are,
and the development of honeypot type classification. With community involvement,
Lance Spitzner uses the following definition to define honeypots: "A honeypot
is an information system resource whose value lies in unauthorized or illicit
use of that resource."

To the average IT person, honeypots may be somewhat confusing.
How could any system value from 'unauthorized or illicit' use? Isn't it the
responsibility of security professionals to ensure that there is no wrongful
use to IT systems? I don't think this analogy is completely appropriate, but
a honeypot is similar to a police sting operation. The name honeypot almost
implies that the IT resource is 'bait' to lure unauthorized users. While this
could be true, I'm not sure that it is the best way to think about honeypots.
Lance's definition contains the word value. What value is there in setting up
an easy target to lure unauthorized user? That's almost like buying a car and
always leaving it unlocked with the keys in it, parking it by your normal car,
hoping someone will steal your 'honeycar' rather than the car that you use everyday.
In my opinion, that is a very expensive protection system.

A better approach is to have specific goals in mind when implementing
honeypots. Are you going to use this as research, simply to gain knowledge to
help you better protect against the enemy, or are you a corporate user who wants
to use a honeypot as a supplement to your intrusion detection system? Often,
corporate IDS' have so many alerts, it is nearly impossible to sort out real
events. Honeypots provide an excellent method of identifying unauthorized traffic
and activity, simply because any traffic hitting a honeypot is by default unauthorized.
Honeypots have many uses and should not be installed just for the 'cool' factor.
If one is mis-configured and sitting on your network, it is potentially a huge
security threat.

To find out more, I suggest the Honeynet project:
http://www.honeynet.org/

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity Feature
Extras:

OpenVPN:
An Introduction and Interview with Founder, James Yonan

- In this article, Duane Dunston gives a brief introduction to OpenVPN and interviews
its founder James Yonan.

R00ting
The Hacker

- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
Archive
] - [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 

 
Distribution:

Conectiva

  11/20/2003 zebra
    Denial
of service vulnerabilities

Multiple denial of service vulnerabilities have been resolved.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3801.html

 
 
Distribution: Debian
  11/17/2003 hylafax
    Multiple
format string vulnerabilities

The SuSE Security Team discovered several exploitable formats string vulnerabilities
in hylafax, a flexible client/server fax system, which could lead to executing
arbitrary code as root on the fax server.

http://www.linuxsecurity.com/advisories/debian_advisory-3793.html

 
  11/17/2003 minimalist
    Unsanitized
input vulnerability

A security-related problem has been discovered in minimalist, a mailing
list manager, which allows a remote attacker to execute arbitrary commands.

http://www.linuxsecurity.com/advisories/debian_advisory-3794.html

 
 
Distribution: Mandrake
  11/19/2003 Glibc
    Buffer
overflow vulnerability

A bug was discovered in the getgrouplist function in glibc that can cause
a buffer overflow if the size of the group list is too small to hold all
the user's groups. This overflow can cause segementation faults in various
user applications, some of which may lead to additional security problems.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3800.html

 
 
Distribution: RedHat
  11/20/2003 XFree86
    Multiple
integer overflows

Updated XFree86 packages for Red Hat Linux 9 provide security fixes to font
libraries and XDM.

http://www.linuxsecurity.com/advisories/redhat_advisory-3802.html

 
 
Distribution: SuSE
  11/18/2003 Sane
    Denial
of service vulnerability

Several bugs in sane were fixed to avoid remote denial-of-service attacks.
These attacks can even be executed if the remote attacker is not allowed
to access the sane server by not listing the attackers IP in the file sane.conf.

http://www.linuxsecurity.com/advisories/suse_advisory-3799.html

 
 
Distribution: Trustix
  11/17/2003 glibc
    Buffer
overflow vulnerability

The getgrouplist function in GNU libc allows may attackers to cause a denial
of service (segmentation fault) and execute arbitrary code when a user is
a member of a large number of groups, which can cause a buffer overflow.

http://www.linuxsecurity.com/advisories/tawie_advisory-3789.html

 
  11/17/2003 postgresql
    Buffer
overflow vulnerability

Buffer overflow in to_ascii for PostgreSQL 7.2.x, and 7.3.x before 7.3.4,
allows remote attackers to execute arbitrary code.

http://www.linuxsecurity.com/advisories/tawie_advisory-3790.html

 
  11/17/2003 apache
    Multiple
vulnerabilities

Multiple stack-based buffer overflows in mod_alias and mod_rewrite have
been fixed. Improper handling of CGI redirect paths has been fixed.

http://www.linuxsecurity.com/advisories/tawie_advisory-3791.html

 
  11/17/2003 coreutils/fileutils/anonftp
Integer overflow vulnerability
    Multiple
vulnerabilities

An integer overflow in ls in the fileutils or coreutils packages may allow
local users to cause a denial of service or execute arbitrary code via a
large -w value, which could be remotely exploited via applications that
use ls, such as wu-ftpd.

http://www.linuxsecurity.com/advisories/tawie_advisory-3792.html

 

Category:

  • Security
Click Here!