We fixed the issues in Up2Date 2.022, which is available on our Up2Date servers already. http://www.astaro.org/cgi/ultimatebb.cgi?ubb=get_topic&f=1&t=000093 All Astaro users please note, that none of the wrong permissions are usable for an exploit to gain root privileges and none of them contain any remote vulnerabilities. Kind regards, Markus Hennig Welcome at CeBit 2002 in hall 16, stand B33. Please visit our User Bulletin Board http://www.astaro.org ! In God we Trust, all others please submit signed PGP/X.509 key Markus Hennig <mhennigat_private> | Product Development Astaro AG | http://www.astaro.com | +49-721-490069-0 | Fax -55 > -----Original Message----- > From: dendlerat_private [mailto:dendlerat_private] > Sent: Tuesday, February 12, 2002 3:47 PM > To: bugtraqat_private; vulnwatchat_private > Cc: Markus Hennig > Subject: Astaro Security Linux Improper File Permissions Flaw > > > iDEFENSE Intelligence Operations discovered security > issues in improper file and directory permissions > during an audit of Astaro AG's Astaro Linux. Astaro > Linux designates a number of files and directories as > world writeable that should probably not be. This, > combined with other more serious flaws, could > potentially result in system compromise or denial of > service. > > Astaro AG bills its Linux packages as "Security Linux." > > > Analysis: World writeable files and directories are > dangerous because any user on the system, even one > running in a restricted account such as "nobody" can > access the files, write to them, and potentially delete > them. World writeable directories can be especially > dangerous when they are used to store files covertly. > Any directories and files contained within the world > writeable directory can potentially be modified. > > Several sensitive configuration files and directories > are world writeable, meaning an attacker with any level > of access to the root file system could cause damage or > subvert the services/applications relying on those > files. > > The following files are world writeable: > * /etc/protocols > * /etc/ssh/ssh_host_dsa_key.pub > * /etc/ssh/ssh_host_key.pub > > It is unknown whether or not the following files need > to be world writeable for the system to function > properly, but it appears safe to remove the world > writeable attribute: > > * /etc/up2date/latest_md5sum > * /wtc/wfe/conf/console > * /wtc/wfe/conf/nameserver > * /wtc/wfe/conf/netzkartendata > * /var/log/account/timestamp > > Astaro Linux also contains a number of world writeable > directories: > * /var > * /etc/up2date/lib1 > * /etc/up2date/lib2 > > In general, the /var directory should not be world > writeable on any *nix system since by filling up the > associated partition, an attacker may prevent log files > from being written to hide his activity. > > Detection: Finding world writeable files and > directories is easy, simply use the "find" command: > > find / -type d -perm +002 > find / -type f -perm +002 > > These commands will list all world writeable > directories and files respectively. Some of the > directories, such as /tmp, are meant to be world > writeable, and leaving them as such is relatively safe. > > Workaround: Removing the world writeable bit on the > files can be accomplished using chmod: > > chmod o-w filename > > This will work for both files and directories. > > Vendor Response: Markus Hennig of Astaro > <mhennigat_private> promptly confirmed the incorrect > file permissions and worked with us responsibly to > resolve these issues. The latest Up2Date 2.022 fixes > the file permissions, which is now currently available > on Astaro Up2Date servers. > > > -dave > > David Endler, CISSP > Director, iDEFENSE Labs > 14151 Newbrook Drive > Suite 100 > Chantilly, VA 20151 > voice: 703-344-2632 > fax: 703-961-1071 > > dendlerat_private > www.idefense.com > >
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 23:03:50 PST