News about Linux security, security alerts and exploits

 Reflecting On Linux Security In 2003, Dec 26, 2003

When asked about Windows vs. Linux security, Gagne says: "Frankly, it seems incredible that this is even open to debate. To suggest that Windows is inherently more or as secure is almost too silly to even comment on. One need only read the newspapers, listen to the radio, watch television or work in an office where Windows is widely used. Of course Linux is more secure, and it has nothing to do with Microsoft's market penetration. It has to do with a better approach to software development. It doesn't hurt that at its very core, Linux is designed with security in mind. No need here for launching a security initiative after years of neglect."

Red Hat has released a range of patches for its Linux 7.1, 7.2 amd 7.3 versions which previously allowed a local user to fire off denial of service attacks.

The real issue comes with the Apache Web server. It was discovered that if someone gained access to the main configuration and access-restriction files used with Apache, they could execute arbitrary code i.e. set up a denial of service attack. They could also gained increased system priviledges, making the possibility of other hacks larger.

A handful of recent online attacks on free and open-source software servers has open-source developers looking over their shoulders.

During the last four months, unknown intruders have breached the security around servers hosting programs and code published by the Linux kernel development team, the Debian Project, the Gentoo Linux Project and the GNU Project, which manages the development of many important programs used by Linux and other Unix-like systems. The attacks have convinced open-source project leaders to take another look at their security.

A critical vulnerability which has been reported in rsync, an open source utility that provides fast incremental file transfer, may have been used to compromise a server at the Gentoo Linux project.

An advisory from the rsync developers said this vulnerability was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server.

What aspects of Linux operating systems are most often targeted by malicious hackers? Here's a recent list of the ten most commonly exploited vulnerable services in UNIX and Linux, as compiled by federal security agencies, security vendors, and other experts.

IDG News Service reports that Moscow-based security software developer Kaspersky Labs has released a new version of its antivirus software for mail servers running on Linux and Unix operating systems. System administrators use the plug-in module Webmin to centrally manage systems settings.

Is Linux more secure than Windows, or vice versa? Fueled by conflicting industry reports, this controversy keeps raging. To arrive at a well-informed opinion on the subject, you need to know as much as you can about what kinds of security measures are actually available for Linux. Moreover, if you're administering Linux already, some implementation tips from Linux security pros can undoubtedly come in handy.

"It's hard to talk about 'Linux' as an operating system, since there are so many different variations. A number of different OSes — such as FreeBSD, VMS, mainframe OSes like VM or VSE, or other proprietary OSes — may lay claim to the title of 'most secure OS,'" observes Pete Lindstrom, CISSP, research director for Spire Security, LLC.

Webmaster's note: This is the verbatim entry on Mandrakesoft's errata page

Error scenario: Installing 9.2 and being told unable to install the base system and subsequent reboot reveals that CD-ROM drive is physically dead.

Why: According to LG Electronics, their ODD (Optical Disc Drive) products do not support Linux nor do they test with Linux. Unfortunately, many Dell computers (possibly others) come with these CD-ROM drives. Solution: Currently there is no solution or work-around for this issue; it is still under investigation. Damage occurs even when doing a network install. At this point, please do not install Mandrake Linux 9.2 on any computer containing a LG-based CD-ROM drive or it will damage your CD-ROM drive! We are actively looking for a solution to this problem.

Trustix, a Norwegian company that sells Linux software intended to be attack-resistant, has been acquired by the Comodo Group, an Internet security company. Terms of the acquisition, announced Friday, were not disclosed.

On the Unix and Linux side, the Institute named the Berkeley Internet Domain Name (BIND) software -- which is widely used on domain name servers to match URLs with IP addresses -- as the top problem software. Apache Web server (at number 3) and Sendmail (at number 6) are also on the Unix/Linux list, and have been exploited this year.

Frank Denis reported a bug in unpatched versions of MySQL prior to version 3.23.58. Passwords for MySQL users are stored in the Password field of the user table. Under this bug, a Password field with a value greater than 16 characters can cause a buffer overflow. It may be possible for an attacker with the ability to modify the user table to exploit this buffer overflow to execute arbitrary code as the MySQL user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0780 to this issue.

The security flaws exist in the OpenSSL Project's version of the secure sockets layer (SSL) software used by Web sites and browsers to cryptographically secure data. Two of the flaws could lead to a denial-of-service attack, and a third may allow an attacker to break into a system from the Internet.

Although Microsoft Windows vulnerabilities get most of the headlines, researchers this week identified vulnerabilities in two commonly used open-source software products.

The more serious of the vulnerabilities affects Sendmail, an open-source program for managing e-mail. The vulnerability lies in the way the e-mail server software parses e-mail headers, said Dan Ingevaldson, engineering manager for Internet Security Systems in Atlanta.

Webmaster's note: Other vendors and distribution developers have also released new packages for sendmail

Two vulnerabilities were reported in sendmail.

- CAN-2003-0681

A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.

- CAN-2003-0694

The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.

Early today we received a note that there are rumblings in the underground related to a new OpenSSH vulnerability. The official web site says that a new version of OpenSSH was released and the following security advisory was published. Below the official OpenSSH patch, you can see the vendor advisories on this issue.

3. Problem description:

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.

Ben Laurie found a bug in the optional renegotiation code in mod_ssl included with Apache 2 versions 2.0.35 through 2.0.46 that can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.

 SuSE Security Announcement

        Package:                kernel
        Announcement-ID:        SuSE-SA:2003:034
        Date:                   Tue Aug 12 18:15:00 CEST 2003
        Affected products:      7.2, 7.3, 8.0, 8.1, 8.2
                                SuSE Linux Database Server,
                                SuSE eMail Server III, 3.1
                                SuSE Linux Enterprise Server 7, 8
                                SuSE Linux Firewall on CD/Admin host
                                SuSE Linux Connectivity Server
                                SuSE Linux Office Server
                                SuSE Linux Openexchange Server
                                SuSE Linux Desktop 1.0
                                United Linux 1.0
        Vulnerability Type:     local privilege escalation,
                                remote Denial of Service (DoS)
        Severity (1-10):        7
        SuSE default package:   yes
        Cross References:       CAN-2003-0476
                                CAN-2003-0501
                                CAN-2003-0464

The transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page.

For the stable distribution (woody) this problem has been fixed in version 4:4.1.2-6woody3.

                Mandrake Linux Security Update Advisory
_________________________________________________________

Package name:           kernel
Advisory ID:            MDKSA-2003:074
Date:                   July 15th, 2003

Affected versions:	8.2, 9.0, Corporate Server 2.1,
			Multi Network Firewall 8.2
__________________________________________________________

3. Problem description:

Mozilla is an open source web browser.

A heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL referencing a malformed .jar file, which overflows a buffer during decompression. This issue affects versions Mozilla packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0.

These errata packages upgrade Mozilla to version 1.0.2, which is not vulnerable to this issue. Mozilla 1.0.2 also contains a number of other stability and security enhancements.

Webmaster's note: Other Linux distributions have issued this same advisory. Please check your particular distribution's security pages for more information

The logging code in nfs-utils contains an off-by-one buffer overrun when adding a newline to the string being logged. This vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition by sending certain RPC requests.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server.

This update contains fixes for a number of bugs discovered in the version of PHP included in Red Hat Linux 8.0 and 9. These bugs include the use of a PHP script as an ErrorDocument and possible POST body corruption in some configurations.

 View older news this year: Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan
 View news from other years: 2008, 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1999
 View older news in category Security this year: Sep Jul Jun May Apr Mar
 View Security news from other years: 2008, 2007, 2006, 2005, 2004, 2003