+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | January 9th, 2004 Volume 5, Number 2a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for the Linux kernel, lftp, ethereal, screen, BIND, libnids, mpg321, nd, jabber, zebra, fsp, and vbox3. The distributors include Conectiva, Debian, Guardian Digital EnGarde Secure Linux, Fedora, Immunix, Mandrake, Openwall, Red Hat, Slackware, SuSE, Trustix, and Turbolinux. One of the greatest indicators of unauthorized system activity is logging. However, in a compromise the integrity of logs often come into question. Depending on the extent of an attack, logs could have been deleted, modified, or flooded. More knowledgeable attackers possess the skills necessary to cover their tracks and make any forensic investigation virtually impossible. Those administrators who have external intrusion detection sensors will have some advantage and additional information to aid in an investigation, but nothing takes the place of accurate system logs. It is possible to have the best of both worlds by setting up an external logging server. Msyslog gives system administrators the ability to send syslog messages to an external database. Therefore, logs from multiple servers can reside on single hardened machine. This gives administrators the advantage of being able to focus all of their efforts at a single location. In addition to log integrity problems, often administrators are fed too much data. If logging is too verbose, real anomalies may easily be overlooked. Feeding all logs into a central database will also reduce this problem. Using additional software or SQL queries, it can potentially be easier to find correlations and anomalies in logs across multiple servers. Takeing it a step further, one could simply automate the log analysis process and only alert the administrator when there is a major problem. Managing logs effectively is no easy task. Extracting information from Gigs of data is even more difficult. We have a very valuable resource at our fingertips. Start using your logs, they can give a remarkably clear picture of the state of a network. More information on using syslog with MySQL and PHP at: http://www.linuxsecurity.com/feature_stories/feature_story-138.html Until next time, cheers! Benjamin D. Thomas ben@private --- Managing Linux Security Effectively in 2004 This article examines the process of proper Linux security management in 2004. First, a system should be hardened and patched. Next, a security routine should be established to ensure that all new vulnerabilities are addressed. Linux security should be treated as an evolving process. http://www.linuxsecurity.com/feature_stories/feature_story-157.html -------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- FEATURE: OSVDB: An Independent and Open Source Vulnerability Database This article outlines the origins, purpose, and future of the Open Source Vulnerability Database project. Also, we talk to with Tyler Owen, a major contributor. http://www.linuxsecurity.com/feature_stories/feature_story-156.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 1/5/2004 - kernel Privilege escalation vulnerability Paul Starzetz from iSEC Security Research reported another vulnerability in the Linux memory management code which can be used by local attackers to obtain root privileges or cause a denial of service condition (DoS). http://www.linuxsecurity.com/advisories/conectiva_advisory-3912.html 1/6/2004 - lftp Buffer overflow vulnerability Ulf Hrnhammar reported two buffer overflow vulnerabilities[3] in the lftp program. An attacker could prepare a directory on a server which, if accessed with a vulnerable lftp with the "ls" or "rels" command, could cause arbitrary code to be executed on the client. http://www.linuxsecurity.com/advisories/conectiva_advisory-3919.html 1/7/2004 - ethereal Denial of Service vulnerability When reading crafted data, Ethereal will crash. http://www.linuxsecurity.com/advisories/conectiva_advisory-3932.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 1/5/2004 - ethereal Denial of service attack A heap-based buffer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. http://www.linuxsecurity.com/advisories/debian_advisory-3906.html 1/5/2004 - lftp Buffer overflow vulnerability An attacker could create a carefully crafted directory on a website so that the execution of an 'ls' or 'rels' command would lead to the execution of arbitrary code on the client machine. http://www.linuxsecurity.com/advisories/debian_advisory-3907.html 1/5/2004 - screen Privilege leak vulnerability Timo Sirainen reported a vulnerability in screen, a terminal multiplexor with VT100/ANSI terminal emulation, that can lead an attacker to gain group utmp privledges. http://www.linuxsecurity.com/advisories/debian_advisory-3908.html 1/6/2004 - BIND Cache poisoning vulnerability A vulnerability was discovered in BIND, a domain name server, whereby a malicious name server could return authoritative negative responses with a large TTL (time-to-live) value, thereby rendering a domain name unreachable. A successful attack would require that a vulnerable BIND instance submit a query to a malicious nameserver. http://www.linuxsecurity.com/advisories/debian_advisory-3915.html 1/6/2004 - libnids Buffer overflow vulnerability A vulnerability was discovered in libnids, a library used to analyze IP network traffic, whereby a carefully crafted TCP datagram could cause memory corruption and potentially execute arbitrary code with the privileges of the user executing a program which uses libnids (such as dsniff). http://www.linuxsecurity.com/advisories/debian_advisory-3916.html 1/6/2004 - mpg321 Malformed format string vulnerability A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-3917.html 1/6/2004 - nd Buffer overflow vulnerability Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface, whereby long strings received from the remote server could overflow fixed-length buffers. This vulnerability could be exploited by a remote attacker in control of a malicious WebDAV server to execute arbitrary code if the server was accessed by a vulnerable version of nd. http://www.linuxsecurity.com/advisories/debian_advisory-3918.html 1/6/2004 - kernel Privilege escalation vulnerability Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.2.x, 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/debian_advisory-3923.html 1/7/2004 - jabber Denial of Service vulnerability A bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service. http://www.linuxsecurity.com/advisories/debian_advisory-3928.html 1/7/2004 - zebra Denial of Service vulnerability Two vulnerabilities were discovered in zebra, both resulting in DoS. http://www.linuxsecurity.com/advisories/debian_advisory-3929.html 1/7/2004 - fsp Buffer overflow/Directory traversal vulns. A remote user could both escape from the FSP root directory, and also overflow a fixed-length buffer to execute arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-3930.html 1/7/2004 - kernel More for Priv. Esc vulnerability A flaw in bounds checking in mremap() in the Linux kernel may allow a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/debian_advisory-3931.html 1/8/2004 - vbox3 Privilege leak vulnerability Root privileges were not properly relinquished before executing a user-supplied tcl script. http://www.linuxsecurity.com/advisories/debian_advisory-3933.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 1/5/2004 - kernel bug and security fixes. This update fixes two security issues and one critical bug in the Linux Kernel shipped with EnGarde Secure Linux. http://www.linuxsecurity.com/advisories/engarde_advisory-3904.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 1/6/2004 - kernel Privilege escalation vulnerability Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/fedora_advisory-3913.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 1/6/2004 - kernel Privilege escalation vulnerability Paul Starzetz has discovered a mishandled boundary condition in the mremap(2) systemcall; Starzetz reports this vulnerability may be exploited by local untrusted users to gain root privileges. http://www.linuxsecurity.com/advisories/immunix_advisory-3914.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 1/8/2004 - kernel Privilege escalation vulnerability A flaw in bounds checking in mremap() in the Linux kernel may be used to allow a local attacker to obtain root privilege. http://www.linuxsecurity.com/advisories/mandrake_advisory-3934.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 1/6/2004 - kernel Privilege escalation vulnerability This vulnerability may allow any local user and any process to execute arbitrary code with kernel privileges and thus gain root access. http://www.linuxsecurity.com/advisories/openwall_advisory-3921.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 1/5/2004 - kernel Privilege escalation vulnerability Updated kernel packages are now available that fix a security vulnerability which may allow local users to gain root privileges. http://www.linuxsecurity.com/advisories/redhat_advisory-3909.html 1/8/2004 - ethereal Denial of Service vulnerabilities By exploiting these two issues it may be possible to make Ethereal crash by injecting an intentionally malformed packet http://www.linuxsecurity.com/advisories/redhat_advisory-3935.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 1/7/2004 - kernel Privilege escalation vulnerability There is a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/slackware_advisory-3926.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 1/5/2004 - kernel Privilege escalation vulnerability By exploiting an incorrect bounds check in do_mremap() during the remapping of memory it is possible to create a VMA with the size of 0. http://www.linuxsecurity.com/advisories/suse_advisory-3911.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 1/5/2004 - kernel Privilege escalation vulnerability The kernel packages prior to this update suffers from a bug in the mremap function. This issue is fixed in this update. We have also fixed some minor bugs in the structure of the packages. http://www.linuxsecurity.com/advisories/trustix_advisory-3910.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 1/6/2004 - kernel Privilege escalation vulnerability The local users may be able to gain root privileges. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3922.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jan 09 2004 - 12:37:40 PST