+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 9th, 2004 Volume 5, Number 2a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for the Linux kernel, lftp, ethereal,
screen, BIND, libnids, mpg321, nd, jabber, zebra, fsp, and vbox3. The
distributors include Conectiva, Debian, Guardian Digital EnGarde Secure
Linux, Fedora, Immunix, Mandrake, Openwall, Red Hat, Slackware, SuSE,
Trustix, and Turbolinux.
One of the greatest indicators of unauthorized system activity is logging.
However, in a compromise the integrity of logs often come into question.
Depending on the extent of an attack, logs could have been deleted,
modified, or flooded. More knowledgeable attackers possess the skills
necessary to cover their tracks and make any forensic investigation
virtually impossible.
Those administrators who have external intrusion detection sensors will
have some advantage and additional information to aid in an investigation,
but nothing takes the place of accurate system logs. It is possible to
have the best of both worlds by setting up an external logging server.
Msyslog gives system administrators the ability to send syslog messages to
an external database. Therefore, logs from multiple servers can reside on
single hardened machine. This gives administrators the advantage of being
able to focus all of their efforts at a single location.
In addition to log integrity problems, often administrators are fed too
much data. If logging is too verbose, real anomalies may easily be
overlooked. Feeding all logs into a central database will also reduce
this problem. Using additional software or SQL queries, it can
potentially be easier to find correlations and anomalies in logs across
multiple servers. Takeing it a step further, one could simply automate
the log analysis process and only alert the administrator when there is a
major problem.
Managing logs effectively is no easy task. Extracting information from
Gigs of data is even more difficult. We have a very valuable resource at
our fingertips. Start using your logs, they can give a remarkably clear
picture of the state of a network.
More information on using syslog with MySQL and PHP at:
http://www.linuxsecurity.com/feature_stories/feature_story-138.html
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
---
Managing Linux Security Effectively in 2004
This article examines the process of proper Linux security management in
2004. First, a system should be hardened and patched. Next, a security
routine should be established to ensure that all new vulnerabilities are
addressed. Linux security should be treated as an evolving process.
http://www.linuxsecurity.com/feature_stories/feature_story-157.html
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
FEATURE: OSVDB: An Independent and Open Source Vulnerability Database This
article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.
http://www.linuxsecurity.com/feature_stories/feature_story-156.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
1/5/2004 - kernel
Privilege escalation vulnerability
Paul Starzetz from iSEC Security Research reported another
vulnerability in the Linux memory management code which can be
used by local attackers to obtain root privileges or cause a
denial of service condition (DoS).
http://www.linuxsecurity.com/advisories/conectiva_advisory-3912.html
1/6/2004 - lftp
Buffer overflow vulnerability
Ulf Hrnhammar reported two buffer overflow vulnerabilities[3] in
the lftp program. An attacker could prepare a directory on a
server which, if accessed with a vulnerable lftp with the "ls" or
"rels" command, could cause arbitrary code to be executed on the
client.
http://www.linuxsecurity.com/advisories/conectiva_advisory-3919.html
1/7/2004 - ethereal
Denial of Service vulnerability
When reading crafted data, Ethereal will crash.
http://www.linuxsecurity.com/advisories/conectiva_advisory-3932.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
1/5/2004 - ethereal
Denial of service attack
A heap-based buffer overflow allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via
the SOCKS dissector.
http://www.linuxsecurity.com/advisories/debian_advisory-3906.html
1/5/2004 - lftp
Buffer overflow vulnerability
An attacker could create a carefully crafted directory on a
website so that the execution of an 'ls' or 'rels' command would
lead to the execution of arbitrary code on the client machine.
http://www.linuxsecurity.com/advisories/debian_advisory-3907.html
1/5/2004 - screen
Privilege leak vulnerability
Timo Sirainen reported a vulnerability in screen, a terminal
multiplexor with VT100/ANSI terminal emulation, that can lead an
attacker to gain group utmp privledges.
http://www.linuxsecurity.com/advisories/debian_advisory-3908.html
1/6/2004 - BIND
Cache poisoning vulnerability
A vulnerability was discovered in BIND, a domain name server,
whereby a malicious name server could return authoritative
negative responses with a large TTL (time-to-live) value, thereby
rendering a domain name unreachable. A successful attack would
require that a vulnerable BIND instance submit a query to a
malicious nameserver.
http://www.linuxsecurity.com/advisories/debian_advisory-3915.html
1/6/2004 - libnids
Buffer overflow vulnerability
A vulnerability was discovered in libnids, a library used to
analyze IP network traffic, whereby a carefully crafted TCP
datagram could cause memory corruption and potentially execute
arbitrary code with the privileges of the user executing a program
which uses libnids (such as dsniff).
http://www.linuxsecurity.com/advisories/debian_advisory-3916.html
1/6/2004 - mpg321
Malformed format string vulnerability
A vulnerability was discovered in mpg321, a command-line mp3
player, whereby user-supplied strings were passed to printf(3)
unsafely. This vulnerability could be exploited by a remote
attacker to overwrite memory, and possibly execute arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-3917.html
1/6/2004 - nd
Buffer overflow vulnerability
Multiple vulnerabilities were discovered in nd, a command-line
WebDAV interface, whereby long strings received from the remote
server could overflow fixed-length buffers. This vulnerability
could be exploited by a remote attacker in control of a malicious
WebDAV server to execute arbitrary code if the server was accessed
by a vulnerable version of nd.
http://www.linuxsecurity.com/advisories/debian_advisory-3918.html
1/6/2004 - kernel
Privilege escalation vulnerability
Paul Starzetz discovered a flaw in bounds checking in mremap() in
the Linux kernel (present in version 2.2.x, 2.4.x and 2.6.x) which
may allow a local attacker to gain root privileges.
http://www.linuxsecurity.com/advisories/debian_advisory-3923.html
1/7/2004 - jabber
Denial of Service vulnerability
A bug in the handling of SSL connections could cause the server
process to crash, resulting in a denial of service.
http://www.linuxsecurity.com/advisories/debian_advisory-3928.html
1/7/2004 - zebra
Denial of Service vulnerability
Two vulnerabilities were discovered in zebra, both resulting in
DoS.
http://www.linuxsecurity.com/advisories/debian_advisory-3929.html
1/7/2004 - fsp
Buffer overflow/Directory traversal vulns.
A remote user could both escape from the FSP root directory, and
also overflow a fixed-length buffer to execute arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-3930.html
1/7/2004 - kernel
More for Priv. Esc vulnerability
A flaw in bounds checking in mremap() in the Linux kernel may
allow a local attacker to gain root privileges.
http://www.linuxsecurity.com/advisories/debian_advisory-3931.html
1/8/2004 - vbox3
Privilege leak vulnerability
Root privileges were not properly relinquished before executing a
user-supplied tcl script.
http://www.linuxsecurity.com/advisories/debian_advisory-3933.html
+---------------------------------+
| Distribution: EnGarde | ----------------------------//
+---------------------------------+
1/5/2004 - kernel
bug and security fixes.
This update fixes two security issues and one critical bug in the
Linux Kernel shipped with EnGarde Secure Linux.
http://www.linuxsecurity.com/advisories/engarde_advisory-3904.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
1/6/2004 - kernel
Privilege escalation vulnerability
Paul Starzetz discovered a flaw in bounds checking in mremap() in
the Linux kernel versions 2.4.23 and previous which may allow a
local attacker to gain root privileges.
http://www.linuxsecurity.com/advisories/fedora_advisory-3913.html
+---------------------------------+
| Distribution: Immunix | ----------------------------//
+---------------------------------+
1/6/2004 - kernel
Privilege escalation vulnerability
Paul Starzetz has discovered a mishandled boundary condition in
the mremap(2) systemcall; Starzetz reports this vulnerability
may be exploited by local untrusted users to gain root
privileges.
http://www.linuxsecurity.com/advisories/immunix_advisory-3914.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
1/8/2004 - kernel
Privilege escalation vulnerability
A flaw in bounds checking in mremap() in the Linux kernel may be
used to allow a local attacker to obtain root privilege.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3934.html
+---------------------------------+
| Distribution: Openwall | ----------------------------//
+---------------------------------+
1/6/2004 - kernel
Privilege escalation vulnerability
This vulnerability may allow any local user and any process to
execute arbitrary code with kernel privileges and thus gain root
access.
http://www.linuxsecurity.com/advisories/openwall_advisory-3921.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
1/5/2004 - kernel
Privilege escalation vulnerability
Updated kernel packages are now available that fix a security
vulnerability which may allow local users to gain root privileges.
http://www.linuxsecurity.com/advisories/redhat_advisory-3909.html
1/8/2004 - ethereal
Denial of Service vulnerabilities
By exploiting these two issues it may be possible to make Ethereal
crash by injecting an intentionally malformed packet
http://www.linuxsecurity.com/advisories/redhat_advisory-3935.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
1/7/2004 - kernel
Privilege escalation vulnerability
There is a bounds-checking problem in the kernel's mremap() call
which could be used by a local attacker to gain root privileges.
http://www.linuxsecurity.com/advisories/slackware_advisory-3926.html
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
1/5/2004 - kernel
Privilege escalation vulnerability
By exploiting an incorrect bounds check in do_mremap() during
the remapping of memory it is possible to create a VMA with
the size of 0.
http://www.linuxsecurity.com/advisories/suse_advisory-3911.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
1/5/2004 - kernel
Privilege escalation vulnerability
The kernel packages prior to this update suffers from a bug in the
mremap function. This issue is fixed in this update. We have
also fixed some minor bugs in the structure of the packages.
http://www.linuxsecurity.com/advisories/trustix_advisory-3910.html
+---------------------------------+
| Distribution: Turbolinux | ----------------------------//
+---------------------------------+
1/6/2004 - kernel
Privilege escalation vulnerability
The local users may be able to gain root privileges.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3922.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
