+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 5th, 2003 Volume 4, Number 48a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, there are multiple serious vulnerabilities that need to be addressed. Advisories were released for bind, rsync, the Linux kernel, xboard, and gnupg. The distributions include Caldera, Conectiva, Debian, Guardian Digital's EnGarde Secure Linux, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, Slackware, SuSE, Trustix, Turbolinux, and Yellow Dog Linux. --- >> Get Thawtes NEW Step-by-Step SSL Guide for Apache << In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on you Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29 --- When will it end? Last week, the biggest news was the Debian server compromise. After some analysis, it was found that the vulnerability used to compromise those systems also affects nearly all other Linux distributions. After you got your systems patched and thought it was safe to let your guard down, a serious remote rsync vulnerability was made public. What will it be next week, or next month? No one can predict when bugs or exploits will surface, but the there is one constant in all of this. Vulnerabilities will continue to be uncovered. Although it is now cliche that 'security is a process, not a product,' the events in the last few week further emphasize this point. By now, it should be apparent that many of the systems that we are using will never be bug free. Expect them, and expect them often! The most important advice that anyone can give is, be prepared. What is preparation? Security must be a normal business process. For example, servers should be patched at a consistent interval, a testing environment should be used to ensure that patches do not negatively affect production servers, and someone in the organization should have the responsibility of monitoring news sources looking for particular harmful vulnerabilities. For example, if your organization chooses to patch the servers every Tuesday and Friday, but last Monday you were notified that updates were available for the Kernel, a special consideration should have then been made. Similarly, there should be processes in the organization for the review of security policies, firewall rules, access control lists, etc. All protection mechanisms should be reviewed by more than one person on a consistent basis. The sooner that we can get out of the 'firefighter' mentality and approach security as a pure business process, the sooner we will achieve an appropriate level of protection. This week, take time to review the security processes in your organization. Is there a reason for every action taken? When will your servers be updated again? When was the last time we reviewed the accounts on the system? Until next time, cheers! Benjamin D. Thomas ben@private --- Guardian Digital Launches First Secure Small Business Internet Productivity Solution Building a complete Internet security and productivity system for your organization just got a whole lot simpler and more secure with Guardian Digital Internet Productivity Suite. Web-based management, spam and virus control, groupware, VPN services, and more! Find out more now: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=ips01 -------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- OpenVPN: An Introduction and Interview with Founder, James Yonan In this article, Duane Dunston gives a brief introduction to OpenVPN and interviews its founder James Yonan. http://www.linuxsecurity.com/feature_stories/feature_story-152.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Caldera | ----------------------------// +---------------------------------+ 12/1/2003 - Bind cache poisoning vulnerability BIND is an implementation of the Domain Name System (DNS) protocols. Successful exploitation of this vulnerability may result in a temporary denial of service. http://www.linuxsecurity.com/advisories/caldera_advisory-3826.html +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 12/4/2003 - rsync heap buffer overflow rsync versions prior to 2.5.7 have a heap buffer overflow vulnerability[2] which can be exploited by remote attackers to execute arbitrary code. http://www.linuxsecurity.com/advisories/conectiva_advisory-3843.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 12/1/2003 - Kernel vulnerability in brk() Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. http://www.linuxsecurity.com/advisories/debian_advisory-3824.html 12/4/2003 - Rsync heap overflow vulnerability While this heap overflow vulnerability could not be used by itself to obtain root access on an rsync server, it could be used in combination with the recently announced do_brk() vulnerability in the Linux kernel to produce a full remote compromise. http://www.linuxsecurity.com/advisories/debian_advisory-3839.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 12/4/2003 - 'rsync' heap overflow vulnerability heap overflow vulnerability A heap overflow vulnerability has been discovered in all versions of rsync prior to 2.5.7. This vulnerability, exploitable when rsync is being run in "server mode", may allow the attacker to run arbitrary code on the compromised server. http://www.linuxsecurity.com/advisories/engarde_advisory-3840.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 12/3/2003 - Kernel crash vulnerability The kernel shipped with Fedora Core 1 was vulnerable to a bug in the error return on a concurrent fork() with threaded exit() which could be exploited by a user level program to crash the kernel. http://www.linuxsecurity.com/advisories/fedora_advisory-3831.html 12/4/2003 - rsync heap overflow vulnerability A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user. http://www.linuxsecurity.com/advisories/fedora_advisory-3844.html 12/4/2003 - Xboard predictable file-write exploit XBoard 4.2.6 and older contains a script which writes to a file in /tmp with a predictable filename. Malicious users could use this vulnerability to force XBoard users to overwrite any file writable by them. http://www.linuxsecurity.com/advisories/fedora_advisory-3846.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 11/29/2003 - Bind Negative-cache DOS vulnerability An attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS. http://www.linuxsecurity.com/advisories/freebsd_advisory-3820.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 12/4/2003 - Rsync heap overflow vulnerability Negative-cache DOS vulnerability Rsync version 2.5.6 contains a vulnerability that can be used to run arbitrary code. The Gentoo infrastructure team has some reasonably good forensic evidence that this exploit may have been used in combination with the Linux kernel brk vulnerability (see GLSA 200312-02) to exploit a rsync.gentoo.org rotation server (see GLSA-200312-01.) http://www.linuxsecurity.com/advisories/gentoo_advisory-3841.html 12/4/2003 - Kernel buffer overflow vulnerability leading to root Lack of proper bounds checking exists in the do_brk() kernel function in Linux kernels prior to 2.4.23. This bug can be used to give a userland program or malicious service access to the full kernel address space and gain root privileges. This issue is known to be exploitable. http://www.linuxsecurity.com/advisories/gentoo_advisory-3842.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 11/29/2003 - GnuPG Serious key vulnerability Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds. http://www.linuxsecurity.com/advisories/mandrake_advisory-3821.html 12/1/2003 - Kernel buffer overflow leading to root A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable; an exploit is in the wild at this time. http://www.linuxsecurity.com/advisories/mandrake_advisory-3825.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 12/1/2003 - kernel Privilege escalation vulnerability Updated kernel packages are now available that fix a security vulnerability leading to a possible privilege escalation. http://www.linuxsecurity.com/advisories/redhat_advisory-3827.html 12/2/2003 - Net-SNMP Unauthorized access vulnerability Privilege escalation vulnerability Updated Net-SNMP packages are available to correct a security vulnerability and other bugs. http://www.linuxsecurity.com/advisories/redhat_advisory-3828.html 12/4/2003 - rsync heap overflow A heap overflow bug exists in rsync versions prior to 2.5.7. On machines where the rsync server has been enabled, a remote attacker could use this flaw to execute arbitrary code as an unprivileged user. http://www.linuxsecurity.com/advisories/redhat_advisory-3845.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 12/3/2003 - Kernal buffer overflow leading to root New kernels are available for Slackware 9.1 and -current. These have been upgraded to Linux kernel version 2.4.23, which fixes a bug in the kernel's do_brk() function that could be exploited to gain root privileges. http://www.linuxsecurity.com/advisories/slackware_advisory-3830.html 12/4/2003 - Rsync heap overflow vulnerability A security problem which may lead to unauthorized machine access or code execution has been fixed by upgrading to rsync-2.5.7. This problem only affects machines running rsync in daemon mode, and is easier to exploit if the non-default option "use chroot = no" is used in the /etc/rsyncd.conf config file. http://www.linuxsecurity.com/advisories/slackware_advisory-3835.html 12/4/2003 - Rsync heap overflow vulnerability security problem which may lead to unauthorized machine access or code execution has been fixed by upgrading to rsync-2.5.7. This problem only affects machines running rsync in daemon mode, and is easier to exploit if the non-default option "use chroot = no" is used in the /etc/rsyncd.conf config file. http://www.linuxsecurity.com/advisories/slackware_advisory-3838.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 11/29/2003 - BIND Negative cache vulnerability and many others The BIND8 code is vulnerable to a remote denial-of-service attack by poisoning the cache with authoritative negative responses that should not be accepted otherwise. To execute this attack a name-server needs to be under malicious control and the victim's bind8 has to query this name-server. http://www.linuxsecurity.com/advisories/suse_advisory-3822.html 12/3/2003 - GnuPG multiple vulnerabilities Two independent errors have been found in gpg (GnuPG) packages as shipped with SUSE products: A) A format string error in the client code that does key retrieval from a (public) key server B) A cryptographic error in gpg that results in a compromise of a cryptographic keypair if ElGamal signing keys have been used for generating the key. http://www.linuxsecurity.com/advisories/suse_advisory-3832.html 12/4/2003 - Kernel local root exploit This security update fixes a serious vulnerability in the Linux kernel. A missing bounds check in the brk() system call allowed processes to request memory beyond the maximum size allowed for tasks, causing kernel memory to be mapped into the process' address space. This allowed local attackers to obtain super user privileges.An exploit for this vulnerability is circulating in the wild, and has been used to compromise OpenSource development servers. http://www.linuxsecurity.com/advisories/suse_advisory-3836.html 12/4/2003 - Rsync heap overflow vulnerability Due to insufficient integer/bounds checking in the server code a heap overflow can be triggered remotely to execute arbitrary code. This code does not get executed as root and access is limited to the chroot environment. The chroot environment maybe broken afterwards by abusing further holes in system software or holes in the chroot setup. http://www.linuxsecurity.com/advisories/suse_advisory-3837.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 11/28/2003 - bind Cache poisoning vulnerability A vulnerability has been found in BIND that ".. allows an attacker to conduct cache poisoning attacks on vulnerable name servers by convincing the servers to retain invalid negative responses." http://www.linuxsecurity.com/advisories/trustix_advisory-3819.html 12/1/2003 - Kernel buffer overflow leading to root This update fixes an issue related to bounds checking in the do_brk() function in the Linux kernel versions 2.4.22 and previous. This issue is known to be exploitable gaining root privileges. http://www.linuxsecurity.com/advisories/trustix_advisory-3823.html 12/4/2003 - rsync heap overflow vulnerability All versions of rsync prior to 2.5.7 contains a heap overflow that can be used to exceute arbitary code remotely. http://www.linuxsecurity.com/advisories/trustix_advisory-3833.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 11/28/2003 - Multiple package updates fileutils, fetchmail, postgresql, cups, and ethereal have been updated to address security vulnerabilities. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3818.html 12/3/2003 - Kernal buffer overflow leading to root The kernel package contains the Linux kernel (vmlinuz), the core of your Linux operating system.A flaw in bounds checking in the do_brk() function in the Linux. The local users may be able to gain root privileges. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3829.html +---------------------------------+ | Distribution: Yellow Dog | ----------------------------// +---------------------------------+ 12/4/2003 - Kernal buffer overflow leading to root A flaw in bounds checking in the do_brk() function in the Linux kernel versions 2.4.22 and previous can allow a local attacker to gain root privileges. This issue is known to be exploitable; an exploit has been seen in the wild that takes advantage of this vulnerability. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3834.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 04:56:13 PST