Author: Preston St. Pierre
postgresql, mpg123, abiword, iptables, xpdf, libxml, lvm10, hdcp, ppp, Apache,
speedtouch, proxytunnel, shadow, mysql, netalk, mod_ssl, and libtiff. The distributors
include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, Slackware, and
Trustix.
NFS Security
NFS is a very widely used file sharing protocol. It allows servers running
nfsd(8) and mountd(8) to “export” entire filesystems to other machines with
nfs filesystem support built-in to their kernels (or some other client support
if they are non Linux machines). mountd(8) keeps track of mounted filesystems
in /etc/mtab, and can display them with showmount(8).
Many sites use NFS to serve home directories to users, so that
no matter what machine in the cluster they login to, they will have
all their home files.
There is some small amount of “security” allowed in exporting
filesystems. You can make your nfsd map the remote root user (uid=0)
to the nobody user, denying them total access to the files exported.
However, since individual users have access to their own (or at
least the same uid) files, the remote superuser can login or su to
their account and have total access to their files. This is only a
small hindrance to an attacker that has access to mount your
remote filesystems.
If you must use NFS, make sure you export to only those machines
that you really need to export only. Never export your entire
root directory, export only directories you need to export and
export read-only wherever possible.
Filter TCP port 111, UDP port 111 (portmapper), TCP port 2049,
and UDP port 2049 (nfsd) on your firewall or gateway to prevent
external access.
The NFS HOWTO also discusses some of the security issues with NFS, and it
is available at: http://www.tldp.org/HOWTO/NFS-HOWTO/
Excerpt from the LinuxSecurity Administrator’s Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@guardiandigital.com)
LinuxSecurity.com
Feature Extras:
Mass
deploying Osiris – Osiris is a centralized file-integrity program
that uses a client/server architecture to check for changes on a system. A central
server maintains the file-integrity database and configuration for a client
and at a specified time, sends the configuration file over to the client, runs
a scan and sends the results back to the server to compare any changes. Those
changes are then sent via email, if configured, to a system admin or group of
people. The communication is all done over an encrypted communication channel.
AIDE
and CHKROOTKIT -Network security is continuing to be a big problem
for companies and home users. The problem can be resolved with an accurate security
analysis. In this article I show how to approach security using aide and chkrootkit.
An
Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code
– Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software (Addison-Wesley,
2002). More recently, he has co-written with Greg Hoglund a companion volume,
Exploiting Software, which details software security from the vantage point
of the other side, the attacker. He has graciously agreed to share some of his
insights with all of us at LinuxSecurity.com.
[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[
Subscribe
]
| Distribution: | Conectiva | ||
| 11/1/2004 | rsync | ||
|
path sanitation vulnerabilities fix
rsync before 2.6.1 does not properly sanitize paths[2] when running a read and write daemon without using chroot. This could allow a remote attacker to write files outside of the rsync directory, depending on rsync’s daemon privileges. |
|||
| 11/3/2004 | squid | ||
|
denial of service vulnerability fix
This announcement fixes a denial of service vulnerability[2] in squid caused by a malformed NTLMSSP packet. This causes a negative value to be passed to memcpy on servers with NTLM authentication enabled, making squid abort and causing a denial of service condition. |
|||
| 11/4/2004 | subversion | ||
|
vulnerabilities fix
All subversions versions prior to and including 1.0.7 are vulnerable to a bug in mod_authz_svn that could allow sensitive metadata of protected areas to be leaked to unauthorized users, characterizing an information leak vulnerability. |
|||
| 11/4/2004 | gaim | ||
|
vulnerabilities fix
This announcement fixes several denial of service and buffer overflow vulnerabilities that were encountered in Gaim. |
|||
| 11/4/2004 | apache | ||
|
mod_ssl vulnerability fix
An issue[2] in the mod_ssl module was reported[3] by Hartmut Keil. When a particular location is configured to require a specific set of cipher suites through the “SSLCipherSuite” directive in its directory or location context, a client could be able to access that location using any cipher suite allowed by the virtual host configuration. |
|||
| Distribution: | Debian | ||
| 10/29/2004 | squid | ||
|
several vulnerabilities fix
Several security vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. |
|||
| 10/29/2004 | postgresql | ||
|
symlink vulnerability fix
Trustix Security Engineers identified insecure temporary file creation in a script included in the postgresql suite, an object-relational SQL database. This could lead an attacker to trick a user to overwrite arbitrary files he has write access to. |
|||
| 11/1/2004 | mpg123 | ||
|
arbitrary code execution fix
Carlos Barros has discovered a buffer overflow in the HTTP authentication routine of mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player. |
|||
| 11/1/2004 | abiword | ||
|
arbitrary code execution fix
A buffer overflow vulnerability has been disovered in the wv library, used for converting and previewing word documents. On exploition an attacker could execute arbitrary code with the privileges of the user running the vulnerable application. |
|||
| 11/1/2004 | iptables | ||
|
modprobe failure fix
Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on it own as it was supposed to. |
|||
| 11/2/2004 | xpdf | ||
|
arbitrary code execution fix
Chris Evans discovered several integer overflows in xpdf, a viewer for PDF files, which can be exploited remotely by a specially crafted PDF document and lead to the execution of arbitrary code. |
|||
| 11/2/2004 | libxml | ||
|
arbitrary code execution fix
“infamous41md” discovered several buffer overflows in libxml and libxml2, the XML C parser and toolkits for GNOME. Missing boundary checks could cause several buffers to be overflown, which may cause the client to execute arbitrary code. |
|||
| 11/3/2004 | lvm10 | ||
|
insecure temporary directory fix
Trustix developers discovered insecure temporary file creation in a supplemental script in the lvm10 package that didn’t check for existing temporary directories, allowing local users to overwrite files via a symlink attack. |
|||
| 11/4/2004 | dhcp | ||
|
format string vulnerability fix
“infamous41md” noticed that the log functions in dhcp 2.x, which is still distributed in the stable Debian release, contained pass parameters to function that use format strings. One use seems to be exploitable in connection with a malicious DNS server. |
|||
| Distribution: | Fedora | ||
| 10/29/2004 | libxslt-1.1.12-2 update | ||
|
format string vulnerability fix
This update fixes bug #137499 where some DocBook transformations broke following the latest security release of libxml2-2.6.15-2 . It brings back libxslt in sync with the installed version of libxml2. |
|||
| 11/4/2004 | system-config-users-1.2.26-0.fc2.1 update | ||
|
format string vulnerability fix
system-config-users is a graphical utility for administrating users and groups. It depends on the libuser library. |
|||
| 11/4/2004 | wget-1.9.1-16.fc2 update | ||
|
format string vulnerability fix
This new release of wget adds support for large files >2Gb, p.e. DVD ISOs. |
|||
| Distribution: | Gentoo: Archive: | ||
| 10/29/2004 | Archive::Zip Virus detection evasion | ||
|
format string vulnerability fix
Email virus scanning software relying on Archive::Zip can be fooled into thinking a ZIP attachment is empty while it contains a virus, allowing detection evasion. |
|||
| Distribution: | Gentoo | ||
| 11/1/2004 | ppp | ||
|
Remote denial of service vulnerability
pppd contains a vulnerability that may allow an attacker to crash the server. |
|||
| 11/1/2004 | Cherokee | ||
|
Format string vulnerability
Cherokee contains a format string vulnerability that could lead to denial of service or the execution of arbitary code. |
|||
| 11/2/2004 | Apache | ||
|
1.3 Buffer overflow vulnerability in mod_include
A buffer overflow vulnerability exists in mod_include which could possibly allow a local attacker to gain escalated privileges. |
|||
| 11/2/2004 | Speedtouch | ||
|
USB driver Privilege escalation vulnerability
A vulnerability in the Speedtouch USB driver can be exploited to allow local users to execute arbitrary code with escalated privileges. |
|||
| 11/2/2004 | libxml2 | ||
|
Remotely exploitable buffer overflow
libxml2 contains multiple buffer overflows which could lead to the execution of arbitrary code. |
|||
| 11/2/2004 | MIME-tools Virus detection evasion | ||
|
Remotely exploitable buffer overflow
MIME-tools doesn’t handle empty MIME boundaries correctly. This may prevent some virus-scanning programs which use MIME-tools from detecting certain viruses. |
|||
| 11/2/2004 | ppp | ||
|
No denial of service vulnerability
pppd contains a bug that allows an attacker to crash his own connection, but it cannot be used to deny service to other users. |
|||
| 11/3/2004 | Proxytunnel | ||
|
Format string vulnerability
Proxytunnel is vulnerable to a format string vulnerability, potentially allowing a remote server to execute arbitrary code with the rights of the Proxytunnel process. |
|||
| 11/3/2004 | GD | ||
|
Integer overflow
The PNG image decoding routines in the GD library contain an integer overflow that may allow execution of arbitrary code with the rights of the program decoding a malicious PNG image. |
|||
| 11/4/2004 | shadow | ||
|
Unauthorized modification of account information
A flaw in the chfn and chsh utilities might allow modification of account properties by unauthorized users. |
|||
| Distribution: | Mandrake | ||
| 11/2/2004 | gaim | ||
|
vulnerability fix
A vulnerability in the MSN protocol handler in the gaim instant messenger application was discovered. When receiving unexpected sequences of MSNSLP messages, it is possible that an attacker could trigger an internal buffer overflow which could lead to a crash or even code execution as the user running gaim. |
|||
| 11/2/2004 | perl-Archive-Zip vulnerability fix | ||
|
vulnerability fix
Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. The global archive directory of these ZIP file have been manipulated to indicate zero file sizes. |
|||
| 11/2/2004 | MySQL | ||
|
multiple vulnerabilities fix
Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method (CAN-2004-0457). |
|||
| 11/2/2004 | mpg123 | ||
|
vulnerability fix
Carlos Barros discovered two buffer overflow vulnerabilities in mpg123; the first in the getauthfromURL() function and the second in the http_open() function. These vulnerabilities could be exploited to possibly execute arbitrary code with the privileges of the user running mpg123. |
|||
| 11/2/2004 | netatalk | ||
|
temporary file vulnerability fix
The etc2ps.sh script, part of the netatalk package, creates files in /tmp with predicatable names which could allow a local attacker to use symbolic links to point to a valid file on the filesystem which could lead to the overwriting of arbitrary files if etc2ps.sh is executed by someone with enough privilege. |
|||
| 11/2/2004 | perl-MIME-tools vulnerability fix | ||
|
temporary file vulnerability fix
There’s a bug in MIME-tools, where it mis-parses things like boundary=””. Some viruses use an empty boundary, which may allow unapproved parts through MIMEDefang. |
|||
| 11/2/2004 | mod_ssl | ||
|
information disclosure vulnerability fix
A vulnerability in mod_ssl was discovered by Hartmut Keil. After a renegotiation, mod_ssl would fail to ensure that the requested cipher suite is actually negotiated. The provided packages have been patched to prevent this problem. |
|||
| 11/4/2004 | xorg-x11 libXpm overflow vulnerabilities fix | ||
|
information disclosure vulnerability fix
Chris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86 |
|||
| 11/4/2004 | Mandrakelinux | ||
|
10.1 various issues fix
Various packages are now available that fix certain bugs in KDE-related packages in Mandrakelinux 10.1 Official edition |
|||
| 11/4/2004 | iptables | ||
|
vulnerability fix
Faheem Mitha discovered that the iptables tool would not always load the required modules on its own as it should have, which could in turn lead to firewall rules not being loaded on system startup in some cases. |
|||
| 11/5/2004 | shadow | ||
|
security bypass vulnerability fix
A vulnerability in the shadow suite was discovered by Martin Schulze that can be exploited by local users to bypass certain security restrictions due to an input validation error in the passwd_check() function. This function is used by the chfn and chsh tools. |
|||
| 11/5/2004 | libxml | ||
|
libxml2 multiple vulnerabilities fix
Multiple buffer overflows were reported in the libxml XML parsing library. These vulnerabilities may allow remote attackers to execute arbitray code via a long FTP URL that is not properly handled by the xmlNanoFTPScanURL() function, a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy() function, and other overflows in the code that resolves names via DNS. |
|||
| Distribution: | Openwall | ||
| 11/3/2004 | glibc | ||
|
2.3.x update
Basically, the system has been updated to glibc 2.3.x (2.3.2 plus the patches found in latest Red Hat Linux 9 glibc update, minus NPTL, and plus all of our modifications indeed). |
|||
| Distribution: | Slackware | ||
| 11/1/2004 | apache+mod_ssl security issue fix | ||
|
2.3.x update
New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. |
|||
| 11/1/2004 | libtiff | ||
|
security issue fix
New libtiff packages are available for Slackware 8.1, 9.0, 9.1, 10.1, and -current to fix security issues that could lead to application crashes, or possibly execution of arbitrary code. |
|||
| Distribution: | Trustix | ||
| 11/1/2004 | libxml2, postgresql multiple security issues | ||
|
security issue fix
There is a buffer overflow when parsing a URL with ftp information in it. A loop incorrectly copies data from a user supplied buffer into a finite stack buffer with no regard for the length being copied. |
|||
| 11/1/2004 | libxml2, postgresql multiple security issues | ||
|
security issue fix
There is a buffer overflow when parsing a URL with ftp information in it. A loop incorrectly copies data from a user supplied buffer into a finite stack buffer with no regard for the length being copied. |
|||
