+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| December 5th, 2003 Volume 4, Number 48a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, there are multiple serious vulnerabilities that need to be
addressed. Advisories were released for bind, rsync, the Linux kernel,
xboard, and gnupg. The distributions include Caldera, Conectiva, Debian,
Guardian Digital's EnGarde Secure Linux, Fedora, FreeBSD, Gentoo,
Mandrake, Red Hat, Slackware, SuSE, Trustix, Turbolinux, and Yellow Dog
Linux.
---
>> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
In this guide you will find out how to test, purchase, install and use a
Thawte Digital Certificate on you Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.
Get your copy of this new guide now:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
---
When will it end? Last week, the biggest news was the Debian server
compromise. After some analysis, it was found that the vulnerability used
to compromise those systems also affects nearly all other Linux
distributions. After you got your systems patched and thought it was safe
to let your guard down, a serious remote rsync vulnerability was made
public. What will it be next week, or next month? No one can predict when
bugs or exploits will surface, but the there is one constant in all of
this. Vulnerabilities will continue to be uncovered.
Although it is now cliche that 'security is a process, not a product,' the
events in the last few week further emphasize this point. By now, it
should be apparent that many of the systems that we are using will never
be bug free. Expect them, and expect them often! The most important
advice that anyone can give is, be prepared. What is preparation?
Security must be a normal business process. For example, servers should
be patched at a consistent interval, a testing environment should be used
to ensure that patches do not negatively affect production servers, and
someone in the organization should have the responsibility of monitoring
news sources looking for particular harmful vulnerabilities. For example,
if your organization chooses to patch the servers every Tuesday and
Friday, but last Monday you were notified that updates were available for
the Kernel, a special consideration should have then been made.
Similarly, there should be processes in the organization for the review of
security policies, firewall rules, access control lists, etc. All
protection mechanisms should be reviewed by more than one person on a
consistent basis. The sooner that we can get out of the 'firefighter'
mentality and approach security as a pure business process, the sooner we
will achieve an appropriate level of protection. This week, take time to
review the security processes in your organization. Is there a reason for
every action taken? When will your servers be updated again? When was the
last time we reviewed the accounts on the system?
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
---
Guardian Digital Launches First Secure Small Business Internet
Productivity Solution
Building a complete Internet security and productivity system for your
organization just got a whole lot simpler and more secure with Guardian
Digital Internet Productivity Suite. Web-based management, spam and virus
control, groupware, VPN services, and more!
Find out more now:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=ips01
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
OpenVPN: An Introduction and Interview with Founder, James Yonan In this
article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.
http://www.linuxsecurity.com/feature_stories/feature_story-152.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Caldera | ----------------------------//
+---------------------------------+
12/1/2003 - Bind
cache poisoning vulnerability
BIND is an implementation of the Domain Name System (DNS) protocols.
Successful exploitation of this vulnerability may result in a temporary
denial of service.
http://www.linuxsecurity.com/advisories/caldera_advisory-3826.html
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
12/4/2003 - rsync
heap buffer overflow
rsync versions prior to 2.5.7 have a heap buffer overflow
vulnerability[2] which can be exploited by remote attackers to execute
arbitrary code.
http://www.linuxsecurity.com/advisories/conectiva_advisory-3843.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
12/1/2003 - Kernel
vulnerability in brk()
Recently multiple servers of the Debian project were compromised using
a Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed to
decrypt the binary which revealed a kernel exploit. Using this bug it
is possible for a userland program to trick the kernel into giving
access to the full kernel address space.
http://www.linuxsecurity.com/advisories/debian_advisory-3824.html
12/4/2003 - Rsync
heap overflow vulnerability
While this heap overflow vulnerability could not be used by itself to
obtain root access on an rsync server, it could be used in combination
with the recently announced do_brk() vulnerability in the Linux kernel
to produce a full remote compromise.
http://www.linuxsecurity.com/advisories/debian_advisory-3839.html
+---------------------------------+
| Distribution: EnGarde | ----------------------------//
+---------------------------------+
12/4/2003 - 'rsync' heap overflow vulnerability
heap overflow vulnerability
A heap overflow vulnerability has been discovered in all versions of
rsync prior to 2.5.7. This vulnerability, exploitable when rsync is
being run in "server mode", may allow the attacker to run arbitrary
code on the compromised server.
http://www.linuxsecurity.com/advisories/engarde_advisory-3840.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
12/3/2003 - Kernel
crash vulnerability
The kernel shipped with Fedora Core 1 was vulnerable to a bug in the
error return on a concurrent fork() with threaded exit() which could be
exploited by a user level program to crash the kernel.
http://www.linuxsecurity.com/advisories/fedora_advisory-3831.html
12/4/2003 - rsync
heap overflow vulnerability
A heap overflow bug exists in rsync versions prior to 2.5.7. On
machines where the rsync server has been enabled, a remote attacker
could use this flaw to execute arbitrary code as an unprivileged user.
http://www.linuxsecurity.com/advisories/fedora_advisory-3844.html
12/4/2003 - Xboard
predictable file-write exploit
XBoard 4.2.6 and older contains a script which writes to a file in /tmp
with a predictable filename. Malicious users could use this
vulnerability to force XBoard users to overwrite any file writable by
them. http://www.linuxsecurity.com/advisories/fedora_advisory-3846.html
+---------------------------------+
| Distribution: FreeBSD | ----------------------------//
+---------------------------------+
11/29/2003 - Bind
Negative-cache DOS vulnerability
An attacker may arrange for malicious DNS messages to be delivered to a
target name server, and cause that name server to cache a negative
response for some target domain name. The name server would thereafter
respond negatively to legitimate queries for that domain name,
resulting in a denial-of-service for applications that require DNS.
http://www.linuxsecurity.com/advisories/freebsd_advisory-3820.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
12/4/2003 - Rsync heap overflow vulnerability
Negative-cache DOS vulnerability
Rsync version 2.5.6 contains a vulnerability that can be used to run
arbitrary code. The Gentoo infrastructure team has some reasonably good
forensic evidence that this exploit may have been used in combination
with the Linux kernel brk vulnerability (see GLSA 200312-02) to exploit
a rsync.gentoo.org rotation server (see GLSA-200312-01.)
http://www.linuxsecurity.com/advisories/gentoo_advisory-3841.html
12/4/2003 - Kernel
buffer overflow vulnerability leading to root
Lack of proper bounds checking exists in the do_brk() kernel function
in Linux kernels prior to 2.4.23. This bug can be used to give a
userland program or malicious service access to the full kernel address
space and gain root privileges. This issue is known to be exploitable.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3842.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
11/29/2003 - GnuPG
Serious key vulnerability
Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys for signing. This is a significant security failure which
can lead to a compromise of almost all ElGamal keys used for signing.
Note that this is a real world vulnerability which will reveal your
private key within a few seconds.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3821.html
12/1/2003 - Kernel
buffer overflow leading to root
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow
a local attacker to gain root privileges. This vulnerability is known
to be exploitable; an exploit is in the wild at this time.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3825.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
12/1/2003 - kernel
Privilege escalation vulnerability
Updated kernel packages are now available that fix a security
vulnerability leading to a possible privilege escalation.
http://www.linuxsecurity.com/advisories/redhat_advisory-3827.html
12/2/2003 - Net-SNMP Unauthorized access vulnerability
Privilege escalation vulnerability
Updated Net-SNMP packages are available to correct a security
vulnerability and other bugs.
http://www.linuxsecurity.com/advisories/redhat_advisory-3828.html
12/4/2003 - rsync
heap overflow
A heap overflow bug exists in rsync versions prior to 2.5.7. On
machines where the rsync server has been enabled, a remote attacker
could use this flaw to execute arbitrary code as an unprivileged user.
http://www.linuxsecurity.com/advisories/redhat_advisory-3845.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
12/3/2003 - Kernal
buffer overflow leading to root
New kernels are available for Slackware 9.1 and -current. These have
been upgraded to Linux kernel version 2.4.23, which fixes a bug in the
kernel's do_brk() function that could be exploited to gain root
privileges.
http://www.linuxsecurity.com/advisories/slackware_advisory-3830.html
12/4/2003 - Rsync
heap overflow vulnerability
A security problem which may lead to unauthorized machine access or
code execution has been fixed by upgrading to rsync-2.5.7. This problem
only affects machines running rsync in daemon mode, and is easier to
exploit if the non-default option "use chroot = no" is used in the
/etc/rsyncd.conf config file.
http://www.linuxsecurity.com/advisories/slackware_advisory-3835.html
12/4/2003 - Rsync
heap overflow vulnerability
security problem which may lead to unauthorized machine access or code
execution has been fixed by upgrading to rsync-2.5.7. This problem only
affects machines running rsync in daemon mode, and is easier to exploit
if the non-default option "use chroot = no" is used in the
/etc/rsyncd.conf config file.
http://www.linuxsecurity.com/advisories/slackware_advisory-3838.html
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
11/29/2003 - BIND
Negative cache vulnerability and many others
The BIND8 code is vulnerable to a remote denial-of-service attack by
poisoning the cache with authoritative negative responses that should
not be accepted otherwise. To execute this attack a name-server needs
to be under malicious control and the victim's bind8 has to query this
name-server.
http://www.linuxsecurity.com/advisories/suse_advisory-3822.html
12/3/2003 - GnuPG
multiple vulnerabilities
Two independent errors have been found in gpg (GnuPG) packages as
shipped with SUSE products: A) A format string error in the client
code that does key retrieval from a (public) key server B) A
cryptographic error in gpg that results in a compromise of a
cryptographic keypair if ElGamal signing keys have been used for
generating the key.
http://www.linuxsecurity.com/advisories/suse_advisory-3832.html
12/4/2003 - Kernel
local root exploit
This security update fixes a serious vulnerability in the Linux kernel.
A missing bounds check in the brk() system call allowed processes to
request memory beyond the maximum size allowed for tasks, causing
kernel memory to be mapped into the process' address space. This
allowed local attackers to obtain super user privileges.An exploit for
this vulnerability is circulating in the wild, and has been used to
compromise OpenSource development servers.
http://www.linuxsecurity.com/advisories/suse_advisory-3836.html
12/4/2003 - Rsync
heap overflow vulnerability
Due to insufficient integer/bounds checking in the server code a heap
overflow can be triggered remotely to execute arbitrary code. This code
does not get executed as root and access is limited to the chroot
environment. The chroot environment maybe broken afterwards by abusing
further holes in system software or holes in the chroot setup.
http://www.linuxsecurity.com/advisories/suse_advisory-3837.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
11/28/2003 - bind
Cache poisoning vulnerability
A vulnerability has been found in BIND that ".. allows an attacker to
conduct cache poisoning attacks on vulnerable name servers by
convincing the servers to retain invalid negative responses."
http://www.linuxsecurity.com/advisories/trustix_advisory-3819.html
12/1/2003 - Kernel
buffer overflow leading to root
This update fixes an issue related to bounds checking in the do_brk()
function in the Linux kernel versions 2.4.22 and previous. This issue
is known to be exploitable gaining root privileges.
http://www.linuxsecurity.com/advisories/trustix_advisory-3823.html
12/4/2003 - rsync
heap overflow vulnerability
All versions of rsync prior to 2.5.7 contains a heap overflow that can
be used to exceute arbitary code remotely.
http://www.linuxsecurity.com/advisories/trustix_advisory-3833.html
+---------------------------------+
| Distribution: Turbolinux | ----------------------------//
+---------------------------------+
11/28/2003 - Multiple
package updates
fileutils, fetchmail, postgresql, cups, and ethereal have been updated
to address security vulnerabilities.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3818.html
12/3/2003 - Kernal
buffer overflow leading to root
The kernel package contains the Linux kernel (vmlinuz), the core of
your Linux operating system.A flaw in bounds checking in the do_brk()
function in the Linux. The local users may be able to gain root
privileges.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3829.html
+---------------------------------+
| Distribution: Yellow Dog | ----------------------------//
+---------------------------------+
12/4/2003 - Kernal
buffer overflow leading to root
A flaw in bounds checking in the do_brk() function in the Linux kernel
versions 2.4.22 and previous can allow a local attacker to gain root
privileges. This issue is known to be exploitable; an exploit has been
seen in the wild that takes advantage of this vulnerability.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3834.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
