+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 20, 2004 Volume 5, Number 33a | +---------------------------------------------------------------------+ Editors: Dave Wreski David Isecke dave@xxxxxxxxxxxxxxxxx dai@xxxxxxxxxxxxxxxxx This week, advisories were released for acroread, ftpd, gaim, glibc, gv, kdelibs, kernel, mozilla, mysql, Nessus, Netscape, pam, qt3, Roundup, rsync, ruby, semi, spamassassin, squirrelmail, and Tomcat. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, Suse, and Trustix. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Reducing the Risk Reducing the risk of intrusion can be achieved by eliminating many of the known common problems. The vast majority of attacks on done by script kiddies who scan massive IP blocks looking for a vulnerable computer, then run a program which they don't understand, to exploit the vulnerability they've just discovered. To block these script kiddies just fix the common vulnerabilities that the programs they use rely on. Buffer Overflow A buffer overflow attack is when the attacker sends malformed packets to a service that causes the memory buffer to overflow. The cracker hopes this will cause the program to crash and defaulting into a root prompt. Buffer overflows happen because of programming errors where input was not checked to be valid. To prevent buffer overflows, all code must be meticulously hand checked multiple times by multiple people. Since this is not often possible, to limit the chances of being successfully cracked by a buffer overflow attack, make sure you keep your systems up to date and get rid of all excess services. Reducing the number of total services your server is offering, the less amount of code that could have a potential buffer overflow. Also, there are kernel patches that prevent some forms of buffer overflow. Denial of Service A Denial of Service, DoS, attack can come in many shapes and forms. The Blue Screen of Death from Windows can be one if it is caused by someone and not just poor programming. Also, the infamous DDoS attacks from earlier this year are an example where multiple 'zombie' computers coordinate together to attack a host all at the same time. A DoS attack is anything that maliciously prevents the computer from doing what was intended. This is usually accomplished by errors in code that will cause the program to eat up all the system resources. IP Session Hi-Jacking IP Session Hi-Jacking, also known as a man in the middle attack, is a sophisticated attack which can now be done using tools circulating in the script kiddie community. With an IP Session Hi-Jacking, an user connects to a system using a service like telnet, then a cracker intercepts the packets and tricks the system into thinking that the cracker's machine is actually the user's machine. The user will think her connect got dropped, when in actuality, it is still going, but it has been taken over by the cracker. With this form of attack, there is no way to block it, but there are checks that can be done to prevent it. Telnet is the type of service that crackers want to hi-jack; it has shell access, is unencrypted, and doesn't perform many checks to make sure the person really is who they say they are. SSH, on the other hand, would be very hard to hi-jack; it has strong encryption, multiple checks of an identity, and can have its shell access limited. Most services can't really be hi-jacked, but the ones that can, like telnet, usually have a secure replacement, like SSH, that can be used instead. Security Tip Written by Ryan Maple (ryan@xxxxxxxxxxxxxxxxxxx) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 8/13/2004 - squirrelmail Multiple vulnerabilities This patch addresses four vulnerabilities in SquirrelMail, including XSS and SQL injection attacks. http://www.linuxsecurity.com/advisories/conectiva_advisory-4669.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 8/20/2004 - ruby Insecure file permissions This can lead an attacker who has also shell access to the webserver to take over a session. http://www.linuxsecurity.com/advisories/debian_advisory-4689.html 8/20/2004 - rsync Insufficient path sanitation The rsync developers have discoverd a security related problem in rsync which offers an attacker to access files outside of the defined directory. http://www.linuxsecurity.com/advisories/debian_advisory-4690.html 8/20/2004 - kdelibs Insecure temporary file vulnerability This can be abused by a local attacker to create or truncate arbitrary files or to prevent KDE applications from functioning correctly. http://www.linuxsecurity.com/advisories/debian_advisory-4691.html 8/20/2004 - mysql Insecure temporary file vulnerability Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method which is part of the mysql-server package. http://www.linuxsecurity.com/advisories/debian_advisory-4692.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient path sanitization This update backports a security fix to a path-sanitizing flaw that affects rsync when it is used in daemon mode without also using chroot. http://www.linuxsecurity.com/advisories/fedora_advisory-4688.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 8/13/2004 - Roundup Filesystem access vulnerability Roundup will make files owned by the user that it's running as accessable to a remote attacker. http://www.linuxsecurity.com/advisories/gentoo_advisory-4664.html 8/13/2004 - gv Buffer overflow vulnerability gv contains an exploitable buffer overflow that allows an attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4665.html 8/13/2004 - Nessus Race condition vulnerability Nessus contains a vulnerability allowing a user to perform a privilege escalation attack using "adduser". http://www.linuxsecurity.com/advisories/gentoo_advisory-4666.html 8/13/2004 - Gaim Buffer overflow vulnerability Gaim contains a remotely exploitable buffer overflow vulnerability in the MSN-protocol parsing code that may allow remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4667.html 8/13/2004 - kdebase,kdelibs Multiple vulnerabilities Buffer overflow vulnerability KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection. http://www.linuxsecurity.com/advisories/gentoo_advisory-4668.html 8/20/2004 - acroread Buffer overflow vulnerabilities Acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs. http://www.linuxsecurity.com/advisories/gentoo_advisory-4682.html 8/20/2004 - Tomcat Insecure installation Improper file ownership may allow a member of the tomcat group to execute scripts as root. http://www.linuxsecurity.com/advisories/gentoo_advisory-4683.html 8/20/2004 - glibc Information leak vulnerability glibc contains an information leak vulnerability allowing the debugging of SUID binaries. http://www.linuxsecurity.com/advisories/gentoo_advisory-4684.html 8/20/2004 - rsync Insufficient path sanitation This vulnerability could allow the listing of arbitrary files and allow file overwriting outside module's path on rsync server configurations that allow uploading. http://www.linuxsecurity.com/advisories/gentoo_advisory-4685.html 8/20/2004 - xine-lib Buffer overflow vulnerability Insufficient path sanitation An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4686.html 8/20/2004 - courier-imap Format string vulnerability Insufficient path sanitation An attacker may be able to execute arbitrary code as the user running courier-imapd (oftentimes root). http://www.linuxsecurity.com/advisories/gentoo_advisory-4687.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 8/13/2004 - gaim Buffer overflow vulnerabilities Sebastian Krahmer discovered two remotely exploitable buffer overflow vunerabilities in the gaim instant messenger. http://www.linuxsecurity.com/advisories/mandrake_advisory-4662.html 8/13/2004 - mozilla Multiple vulnerabilities A large number of Mozilla vulnerabilites is addressed by this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-4663.html 8/20/2004 - rsync Insufficient path sanitation If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/mandrake_advisory-4679.html 8/20/2004 - spamassassin Denial of service vulnerability Security fix prevents a denial of service attack open to certain malformed messages. http://www.linuxsecurity.com/advisories/mandrake_advisory-4680.html 8/20/2004 - qt3 Heap overflow vulnerability his vulnerability could allow for the compromise of the account used to view or browse malicious graphic files. http://www.linuxsecurity.com/advisories/mandrake_advisory-4681.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 8/20/2004 - ftpd Privilege escalation vulnerability A set of flaws in the ftpd source code can be used together to achieve root access within an ftp session. http://www.linuxsecurity.com/advisories/netbsd_advisory-4678.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 8/19/2004 - pam Privilege escalation vulnarability If he pam_wheel module was used with the "trust" option enabled, but without the "use_uid" option, any local user could use PAM to gain access to a superuser account without supplying a password. http://www.linuxsecurity.com/advisories/redhat_advisory-4670.html 8/19/2004 - Itanium kernel Multiple vulnerabilities Updated Itanium kernel packages that fix a number of security issues are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4671.html 8/19/2004 - semi Insecure temporary file vulnerability Temporary files were being created without taking adequate precautions, and therefore a local user could potentially overwrite files with the privileges of the user running emacs. http://www.linuxsecurity.com/advisories/redhat_advisory-4672.html 8/20/2004 - Netscape Multiple vulnerabilities Netscape Navigator and Netscape Communicator have been removed from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5. These packages were based on Netscape 4.8, which is known to be vulnerable to recent critical security issues, such as CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599. http://www.linuxsecurity.com/advisories/redhat_advisory-4673.html 8/20/2004 - kernel Denial of service vulnerability A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system. http://www.linuxsecurity.com/advisories/redhat_advisory-4674.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient pathname sanitizing If rsync is running in daemon-mode and without a chroot environment it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/suse_advisory-4676.html 8/20/2004 - qt3 Buffer overflow vulnerability Chris Evans found a heap overflow in the BMP image format parser which can probably be abused by remote attackers to execute arbitrary code. http://www.linuxsecurity.com/advisories/suse_advisory-4677.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Path escape vulnerability Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected. http://www.linuxsecurity.com/advisories/trustix_advisory-4675.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------