Linux Advisory Watch - January 9, 2004

This week, advisories were released for the Linux kernel, lftp, ethereal, screen, BIND, libnids, mpg321, nd, jabber, zebra, fsp, and vbox3. The distributors include Conectiva, Debian, Guardian Digital EnGarde Secure Linux, Fedora, Immunix, Mandrake, Openwall, Red Hat, Slackware, SuSE, Trustix, and Turbolinux.

One of the greatest indicators of unauthorized system activity is logging. However, in a compromise the integrity of logs often come into question. Depending on the extent of an attack, logs could have been deleted, modified, or flooded. More knowledgeable attackers possess the skills necessary to cover their tracks and make any forensic investigation
virtually impossible.

Those administrators who have external intrusion detection sensors will have some advantage and additional information to aid in an investigation, but nothing takes the place of accurate system logs. It is possible to have the best of both worlds by setting up an external logging server. Msyslog gives system administrators the ability to send syslog messages to an external database. Therefore, logs from multiple servers can reside on single hardened machine. This gives administrators the advantage of being able
to focus all of their efforts at a single location.

In addition to log integrity problems, often administrators are fed too much data. If logging is too verbose, real anomalies may easily be overlooked. Feeding all logs into a central database will also reduce this problem. Using additional software or SQL queries, it can potentially be easier to find correlations and anomalies in logs across multiple servers. Takeing it a step further, one could simply automate the log analysis process and only alert the administrator when there is a major problem.

Managing logs effectively is no easy task. Extracting information from Gigs of data is even more difficult. We have a very valuable resource at our fingertips. Start using your logs, they can give a remarkably clear picture of the state of a network.

More information on using syslog with MySQL and PHP can be found here.

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity
Feature Extras:

Managing
Linux Security Effectively in 2004
– This article examines the process of proper Linux security management in
2004. First, a system should be hardened and patched. Next, a security routine
should be established to ensure that all new vulnerabilities are addressed.
Linux security should be treated as an evolving process.

FEATURE:
OSVDB – An Independent and Open Source Vulnerability Database
– This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.

[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]


Distribution:			Conectiva
	1/5/2004	kernel
		Privilege escalation vulnerability Paul Starzetz from iSEC Security Research reported another vulnerability in the Linux memory management code which can be used by local attackers to obtain root privileges or cause a denial of service condition (DoS). http://www.linuxsecurity.com/advisories/conectiva_advisory-3912.html

	1/6/2004	lftp
		Buffer overflow vulnerability Ulf HÃ¾rnhammar reported two buffer overflow vulnerabilities[3] in the lftp program. An attacker could prepare a directory on a server which, if accessed with a vulnerable lftp with the “ls” or “rels” command, could cause arbitrary code to be executed on the client. http://www.linuxsecurity.com/advisories/conectiva_advisory-3919.html

	1/7/2004	ethereal
		Denial of Service vulnerability When reading crafted data, Ethereal will crash. http://www.linuxsecurity.com/advisories/conectiva_advisory-3932.html


Distribution:			Debian
	1/5/2004	ethereal
		Denial of service attack A heap-based buffer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. http://www.linuxsecurity.com/advisories/debian_advisory-3906.html

	1/5/2004	lftp
		Buffer overflow vulnerability An attacker could create a carefully crafted directory on a website so that the execution of an ‘ls’ or ‘rels’ command would lead to the execution of arbitrary code on the client machine. http://www.linuxsecurity.com/advisories/debian_advisory-3907.html

	1/5/2004	screen
		Privilege leak vulnerability Timo Sirainen reported a vulnerability in screen, a terminal multiplexor with VT100/ANSI terminal emulation, that can lead an attacker to gain group utmp privledges. http://www.linuxsecurity.com/advisories/debian_advisory-3908.html

	1/6/2004	BIND
		Cache poisoning vulnerability A vulnerability was discovered in BIND, a domain name server, whereby a malicious name server could return authoritative negative responses with a large TTL (time-to-live) value, thereby rendering a domain name unreachable. A successful attack would require that a vulnerable BIND instance submit a query to a malicious nameserver. http://www.linuxsecurity.com/advisories/debian_advisory-3915.html

	1/6/2004	libnids
		Buffer overflow vulnerability A vulnerability was discovered in libnids, a library used to analyze IP network traffic, whereby a carefully crafted TCP datagram could cause memory corruption and potentially execute arbitrary code with the privileges of the user executing a program which uses libnids (such as dsniff). http://www.linuxsecurity.com/advisories/debian_advisory-3916.html

	1/6/2004	mpg321
		Malformed format string vulnerability A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-3917.html

	1/6/2004	nd
		Buffer overflow vulnerability Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface, whereby long strings received from the remote server could overflow fixed-length buffers. This vulnerability could be exploited by a remote attacker in control of a malicious WebDAV server to execute arbitrary code if the server was accessed by a vulnerable version of nd. http://www.linuxsecurity.com/advisories/debian_advisory-3918.html

	1/6/2004	kernel
		Privilege escalation vulnerability Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.2.x, 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/debian_advisory-3923.html

	1/7/2004	jabber
		Denial of Service vulnerability A bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service. http://www.linuxsecurity.com/advisories/debian_advisory-3928.html

	1/7/2004	zebra
		Denial of Service vulnerability Two vulnerabilities were discovered in zebra, both resulting in DoS. http://www.linuxsecurity.com/advisories/debian_advisory-3929.html

	1/7/2004	fsp
		Buffer overflow/Directory traversal vulns. A remote user could both escape from the FSP root directory, and also overflow a fixed-length buffer to execute arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-3930.html

	1/7/2004	kernel
		More for Priv. Esc vulnerability A flaw in bounds checking in mremap() in the Linux kernel may allow a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/debian_advisory-3931.html

	1/8/2004	vbox3
		Privilege leak vulnerability Root privileges were not properly relinquished before executing a user-supplied tcl script. http://www.linuxsecurity.com/advisories/debian_advisory-3933.html


Distribution:			EnGarde
	1/5/2004	kernel
		bug and security fixes. This update fixes two security issues and one critical bug in the Linux Kernel shipped with EnGarde Secure Linux. http://www.linuxsecurity.com/advisories/engarde_advisory-3904.html


Distribution:			Fedora
	1/6/2004	kernel
		Privilege escalation vulnerability Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/fedora_advisory-3913.html


Distribution:			Immunix
	1/6/2004	kernel
		Privilege escalation vulnerability Paul Starzetz has discovered a mishandled boundary condition in the mremap(2) systemcall; Starzetz reports this vulnerability may be exploited by local untrusted users to gain root privileges. http://www.linuxsecurity.com/advisories/immunix_advisory-3914.html


Distribution:			Mandrake
	1/8/2004	kernel
		Privilege escalation vulnerability A flaw in bounds checking in mremap() in the Linux kernel may be used to allow a local attacker to obtain root privilege. http://www.linuxsecurity.com/advisories/mandrake_advisory-3934.html


Distribution:			Openwall
	1/6/2004	kernel
		Privilege escalation vulnerability This vulnerability may allow any local user and any process to execute arbitrary code with kernel privileges and thus gain root access. http://www.linuxsecurity.com/advisories/openwall_advisory-3921.html


Distribution:			Red Hat
	1/5/2004	kernel
		Privilege escalation vulnerability Updated kernel packages are now available that fix a security vulnerability which may allow local users to gain root privileges. http://www.linuxsecurity.com/advisories/redhat_advisory-3909.html

	1/8/2004	ethereal
		Denial of Service vulnerabilities By exploiting these two issues it may be possible to make Ethereal crash by injecting an intentionally malformed packet http://www.linuxsecurity.com/advisories/redhat_advisory-3935.html


Distribution:			Slackware
	1/7/2004	kernel
		Privilege escalation vulnerability There is a bounds-checking problem in the kernel’s mremap() call which could be used by a local attacker to gain root privileges. http://www.linuxsecurity.com/advisories/slackware_advisory-3926.html


Distribution:			Suse
	1/5/2004	kernel
		Privilege escalation vulnerability By exploiting an incorrect bounds check in do_mremap() during the remapping of memory it is possible to create a VMA with the size of 0. http://www.linuxsecurity.com/advisories/suse_advisory-3911.html


Distribution:			Trustix
	1/5/2004	kernel
		Privilege escalation vulnerability The kernel packages prior to this update suffers from a bug in the mremap function. This issue is fixed in this update. We have also fixed some minor bugs in the structure of the packages. http://www.linuxsecurity.com/advisories/trustix_advisory-3910.html


Distribution:			Turbolinux
	1/6/2004	kernel
		Privilege escalation vulnerability The local users may be able to gain root privileges. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3922.html

RELATED ARTICLESMORE FROM AUTHOR

Xen 4.19 is released

Advancing Xen on RISC-V: key updates

AI Produces Data-driven OpenFOAM Speedup (HPC Wire)

Delivering Prime Training Deals – 2 DAYS ONLY

Why You Need to Know About Event Modeling: —An Intro

RELATED ARTICLES MORE FROM AUTHOR