[ISN] Linux Advisory Watch - August 20, 2004
InfoSec News
isn at c4i.org
Mon Aug 23 03:30:43 EDT 2004
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 20, 2004 Volume 5, Number 33a |
+---------------------------------------------------------------------+
Editors: Dave Wreski David Isecke
dave at linuxsecurity.com dai at linuxsecurity.com
This week, advisories were released for acroread, ftpd, gaim, glibc, gv,
kdelibs, kernel, mozilla, mysql, Nessus, Netscape, pam, qt3, Roundup,
rsync, ruby, semi, spamassassin, squirrelmail, and Tomcat.
The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake,
NetBSD, Red Hat, Suse, and Trustix.
-----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
-----
Reducing the Risk
Reducing the risk of intrusion can be achieved by eliminating many of the
known common problems.
The vast majority of attacks on done by script kiddies who scan massive IP
blocks looking for a vulnerable computer, then run a program which they
don't understand, to exploit the vulnerability they've just discovered.
To block these script kiddies just fix the common vulnerabilities that the
programs they use rely on.
Buffer Overflow
A buffer overflow attack is when the attacker sends malformed packets to a
service that causes the memory buffer to overflow. The cracker hopes this
will cause the program to crash and defaulting into a root prompt.
Buffer overflows happen because of programming errors where input was not
checked to be valid.
To prevent buffer overflows, all code must be meticulously hand checked
multiple times by multiple people. Since this is not often possible, to
limit the chances of being successfully cracked by a buffer overflow
attack, make sure you keep your systems up to date and get rid of all
excess services. Reducing the number of total services your server is
offering, the less amount of code that could have a potential buffer
overflow. Also, there are kernel patches that prevent some forms of
buffer overflow.
Denial of Service
A Denial of Service, DoS, attack can come in many shapes and forms. The
Blue Screen of Death from Windows can be one if it is caused by someone
and not just poor programming. Also, the infamous DDoS attacks from
earlier this year are an example where multiple 'zombie' computers
coordinate together to attack a host all at the same time. A DoS attack is
anything that maliciously prevents the computer from doing what was
intended. This is usually accomplished by errors in code that will cause
the program to eat up all the system resources.
IP Session Hi-Jacking
IP Session Hi-Jacking, also known as a man in the middle attack, is a
sophisticated attack which can now be done using tools circulating in the
script kiddie community. With an IP Session Hi-Jacking, an user connects
to a system using a service like telnet, then a cracker intercepts the
packets and tricks the system into thinking that the cracker's machine is
actually the user's machine. The user will think her connect got dropped,
when in actuality, it is still going, but it has been taken over by the
cracker.
With this form of attack, there is no way to block it, but there are
checks that can be done to prevent it. Telnet is the type of service that
crackers want to hi-jack; it has shell access, is unencrypted, and doesn't
perform many checks to make sure the person really is who they say they
are. SSH, on the other hand, would be very hard to hi-jack; it has strong
encryption, multiple checks of an identity, and can have its shell access
limited. Most services can't really be hi-jacked, but the ones that can,
like telnet, usually have a secure replacement, like SSH, that can be used
instead.
Security Tip Written by Ryan Maple (ryan at guardiandigital.com)
Additional tips are available at the following URL:
http://www.linuxsecurity.com/tips/
----
An Interview with Gary McGraw, Co-author of Exploiting Software:
How to Break Code
Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software
(Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund
a companion volume, Exploiting Software, which details software security
from the vantage point of the other side, the attacker. He has graciously
agreed to share some of his insights with all of us at LinuxSecurity.com
http://www.linuxsecurity.com/feature_stories/feature_story-171.html
---------------------------------------------------------------------
Security Expert Dave Wreski Discusses Open Source Security
LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian
Digital, Inc. and respected author of various hardened security and Linux
publications, to talk about how Guardian Digital is changing the face of
IT security today. Guardian Digital is perhaps best known for their
hardened Linux solution EnGarde Secure Linux, touted as the premier
secure, open-source platform for its comprehensive array of general
purpose services, such as web, FTP, email, DNS, IDS, routing, VPN,
firewalling, and much more.
http://www.linuxsecurity.com/feature_stories/feature_story-170.html
------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
8/13/2004 - squirrelmail
Multiple vulnerabilities
This patch addresses four vulnerabilities in SquirrelMail,
including XSS and SQL injection attacks.
http://www.linuxsecurity.com/advisories/conectiva_advisory-4669.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
8/20/2004 - ruby
Insecure file permissions
This can lead an attacker who has also shell access to the
webserver to take over a session.
http://www.linuxsecurity.com/advisories/debian_advisory-4689.html
8/20/2004 - rsync
Insufficient path sanitation
The rsync developers have discoverd a security related problem in
rsync which offers an attacker to access files outside of the
defined directory.
http://www.linuxsecurity.com/advisories/debian_advisory-4690.html
8/20/2004 - kdelibs
Insecure temporary file vulnerability
This can be abused by a local attacker to create or truncate
arbitrary files or to prevent KDE applications from functioning
correctly.
http://www.linuxsecurity.com/advisories/debian_advisory-4691.html
8/20/2004 - mysql
Insecure temporary file vulnerability
Jeroen van Wolffelaar discovered an insecure temporary file
vulnerability in the mysqlhotcopy script when using the scp method
which is part of the mysql-server package.
http://www.linuxsecurity.com/advisories/debian_advisory-4692.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
8/20/2004 - rsync
Insufficient path sanitization
This update backports a security fix to a path-sanitizing flaw
that affects rsync when it is used in daemon mode without also
using chroot.
http://www.linuxsecurity.com/advisories/fedora_advisory-4688.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
8/13/2004 - Roundup
Filesystem access vulnerability
Roundup will make files owned by the user that it's running as
accessable to a remote attacker.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4664.html
8/13/2004 - gv
Buffer overflow vulnerability
gv contains an exploitable buffer overflow that allows an attacker
to execute arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4665.html
8/13/2004 - Nessus
Race condition vulnerability
Nessus contains a vulnerability allowing a user to perform a
privilege escalation attack using "adduser".
http://www.linuxsecurity.com/advisories/gentoo_advisory-4666.html
8/13/2004 - Gaim
Buffer overflow vulnerability
Gaim contains a remotely exploitable buffer overflow vulnerability
in the MSN-protocol parsing code that may allow remote execution
of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4667.html
8/13/2004 - kdebase,kdelibs Multiple vulnerabilities
Buffer overflow vulnerability
KDE contains three security issues that can allow an attacker to
compromise system accounts, cause a Denial of Service, or spoof
websites via frame injection.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4668.html
8/20/2004 - acroread
Buffer overflow vulnerabilities
Acroread contains two errors in the handling of UUEncoded
filenames that may lead to execution of arbitrary code or
programs.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4682.html
8/20/2004 - Tomcat
Insecure installation
Improper file ownership may allow a member of the tomcat group to
execute scripts as root.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4683.html
8/20/2004 - glibc
Information leak vulnerability
glibc contains an information leak vulnerability allowing the
debugging of SUID binaries.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4684.html
8/20/2004 - rsync
Insufficient path sanitation
This vulnerability could allow the listing of arbitrary files and
allow file overwriting outside module's path on rsync server
configurations that allow uploading.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4685.html
8/20/2004 - xine-lib Buffer overflow vulnerability
Insufficient path sanitation
An attacker may construct a carefully-crafted playlist file which
will cause xine-lib to execute arbitrary code with the permissions
of the user.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4686.html
8/20/2004 - courier-imap Format string vulnerability
Insufficient path sanitation
An attacker may be able to execute arbitrary code as the user
running courier-imapd (oftentimes root).
http://www.linuxsecurity.com/advisories/gentoo_advisory-4687.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
8/13/2004 - gaim
Buffer overflow vulnerabilities
Sebastian Krahmer discovered two remotely exploitable buffer
overflow vunerabilities in the gaim instant messenger.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4662.html
8/13/2004 - mozilla
Multiple vulnerabilities
A large number of Mozilla vulnerabilites is addressed by this
update.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4663.html
8/20/2004 - rsync
Insufficient path sanitation
If rsync is running in daemon mode, and not in a chrooted
environment, it is possible for a remote attacker to trick rsyncd
into creating an absolute pathname while sanitizing it.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4679.html
8/20/2004 - spamassassin
Denial of service vulnerability
Security fix prevents a denial of service attack open to certain
malformed messages.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4680.html
8/20/2004 - qt3
Heap overflow vulnerability
his vulnerability could allow for the compromise of the account
used to view or browse malicious graphic files.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4681.html
+---------------------------------+
| Distribution: NetBSD | ----------------------------//
+---------------------------------+
8/20/2004 - ftpd
Privilege escalation vulnerability
A set of flaws in the ftpd source code can be used together to
achieve root access within an ftp session.
http://www.linuxsecurity.com/advisories/netbsd_advisory-4678.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
8/19/2004 - pam
Privilege escalation vulnarability
If he pam_wheel module was used with the "trust" option enabled,
but without the "use_uid" option, any local user could use PAM to
gain access to a superuser account without supplying a password.
http://www.linuxsecurity.com/advisories/redhat_advisory-4670.html
8/19/2004 - Itanium
kernel Multiple vulnerabilities
Updated Itanium kernel packages that fix a number of security
issues are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-4671.html
8/19/2004 - semi
Insecure temporary file vulnerability
Temporary files were being created without taking adequate
precautions, and therefore a local user could potentially
overwrite files with the privileges of the user running emacs.
http://www.linuxsecurity.com/advisories/redhat_advisory-4672.html
8/20/2004 - Netscape
Multiple vulnerabilities
Netscape Navigator and Netscape Communicator have been removed
from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part
of Update 5. These packages were based on Netscape 4.8, which is
known to be vulnerable to recent critical security issues, such as
CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599.
http://www.linuxsecurity.com/advisories/redhat_advisory-4673.html
8/20/2004 - kernel
Denial of service vulnerability
A bug in the SoundBlaster 16 code which did not properly handle
certain sample sizes has been fixed. This flaw could be used by
local users to crash a system.
http://www.linuxsecurity.com/advisories/redhat_advisory-4674.html
+---------------------------------+
| Distribution: Suse | ----------------------------//
+---------------------------------+
8/20/2004 - rsync
Insufficient pathname sanitizing
If rsync is running in daemon-mode and without a chroot
environment it is possible for a remote attacker to trick rsyncd
into creating an absolute pathname while sanitizing it.
http://www.linuxsecurity.com/advisories/suse_advisory-4676.html
8/20/2004 - qt3
Buffer overflow vulnerability
Chris Evans found a heap overflow in the BMP image format parser
which can probably be abused by remote attackers to execute
arbitrary code.
http://www.linuxsecurity.com/advisories/suse_advisory-4677.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
8/20/2004 - rsync
Path escape vulnerability
Please either enable chroot or upgrade to 2.6.1. People not
running a daemon, running a read-only daemon, or running a
chrooted daemon are totally unaffected.
http://www.linuxsecurity.com/advisories/trustix_advisory-4675.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list