+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 31, 2000 Volume 1, Number 14 | | | | Editorial Team: Benjamin Thomas ben@linuxsecurity.com | | Chris Parker cparker@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. This week, advisories for gpm, man, dhcp-client, Zope, openldap, BitchX, pam, and nfs-utils were released. DHCP-client and nfs-utils vulnerabilities can both theoretically be used to gain remote root access. * LinuxSecurity.com just released the LinuxSecurity Quick Reference Card. The reference is intended to provide a starting point for improving system security. It includes references to security resources, tips for securing Linux, and other general security information. http://www.linuxsecurity.com/articles/documentation_article-1208.html Our feature this week is an interview with Carr Biggerstaff & Thomas Haigh of Secure Computing, by Dave Wreski. The interview discusses the state of Linux and security, its place in secure business data centers, and their work with the National Security Agency to create a Type-Enforced version of Linux. http://www.linuxsecurity.com/feature_stories/secure-1.html Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version Available: http://www.linuxsecurity.com/newsletter.html --------------------- Advisories This Week: --------------------- * Mandrake: gpm vulnerability July 28th, 2000 Many security flaws existed in the gpm package, which is used to control the mouse in a terminal outside of X Windows. As well, a denial of service attack via /dev/gpmctl is possible. All security issues with the gpm package have been addressed with this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-586.html * Mandrake: openldap NOT vulnerable July 28th, 2000 OpenLDAP installs the ud binary with mode 755 and the default group, taken from the installing user's primary gid or the gid of the directory itself. Depending on the gid used, this can cause the file to be group-writable for an extended group. It has been determined that Linux-Mandrake is not vulnerable to the recent openldap permission problem. http://www.linuxsecurity.com/advisories/caldera_advisory-584.html * Mandrake: Zope vulnerability July 28th, 2000 7.1 and previous versions of Zope have a serious security flaw in one of the base classes in the DocumentTemplate package that is inadequately protected. This flaw allows the contents of DHTML Documents or DHTML Methods to be changed remotely or through DHTML code without forcing proper user authorization. http://www.linuxsecurity.com/advisories/mandrake_advisory-588.html * Debian: dhcp-client vulnerability July 28th, 2000 The versions of the ISC DHCP client in Debian 2.1 (slink) and Debian 2.2 (potato) are vulnerable to a root exploit. The OpenBSD team reports that the client inappropriately executes commands embedded in replies sent from a dhcp server. This means that a malicious dhcp server can execute commands on the client with root privileges. http://www.linuxsecurity.com/advisories/Debian_advisory-585.html * Conectiva: BitchX vulnerability July 28th, 2000 The irc client BitchX can be taken down remotely by inviting the user to a channel with format strings in its name. By receiving the invitation, BitchX will crash immediately. http://www.linuxsecurity.com/advisories/other_advisory-583.html * TurboLinux: dhcp vulnerability July 28th, 2000 Current and previous version of the DHCP client is vulnerable to malicious DHCP servers. The client can execute arbitrary commands given to it in responses from a DHCP server. A maliciously placed DHCP can answer to any local DHCP client, thus providing an avenue to remotely exploit root privileges on the client. http://www.linuxsecurity.com/advisories/turbolinux_advisory-587.html * Conectiva: nfs-utils vulnerability July 27th, 2000 A vulnerability was found in the Conectiva nfs-utils which allows remote root access. It is the same vulnerability that Redhat's nfs-utils had. http://www.linuxsecurity.com/advisories/other_advisory-579.html * Conectiva: pam vulnerability July 27th, 2000 This module incorrectly identifies remote X logins for displays other than :0 (:1, :2, etc.) as local ones, thus giving the console to this user. Having the console, the remote user could issue commands like reboot to remotely reboot the system (after providing his or her password). http://www.linuxsecurity.com/advisories/other_advisory-580.html * Conectiva: gpm vulnerability July 27th, 2000 There is a condition that, if exploited by an attacker, could lead to gpm removing arbitrary files in the system. http://www.linuxsecurity.com/advisories/other_advisory-582.html * Conectiva: man vulnerability July 27th, 2000 The man package has a script called makewhatis that is run weekly by the cron daemon as root. This script creates a directory in /tmp and some files under it with predictable names, thus making it possible for a local attacker to alter any file in the system via symlink attacks. http://www.linuxsecurity.com/advisories/caldera_advisory-581.html * Debian: userv vulnerability July 27th, 2000 The version of userv that was distributed with Debian GNU/Linux 2.1 / slink had a problem in the fd swapping algorithm: it could sometimes make an out-of-bounds array reference. It might be possible for local users to abuse this to carry out unauthorized actions or be able to take control for service user accounts. http://www.linuxsecurity.com/advisories/debian_advisory-578.html * RedHat: gpm vulnerability July 26th, 2000 1. gpm did not perform adequate checking of setgid return values in the gpm-root helper program. This resulted in an avenue of attack where local users could execute arbitrary commands with elevated group privileges. 2. /dev/gpmctl was writable by users who were not on the console. A user could perform a local denial of service attack by flooding the socket. http://www.linuxsecurity.com/advisories/redhat_advisory-577.html * Conectiva: openldap vulnerability July 26th, 2000 Our previous update introduced a logrotate script for the ldap logs. This script incorrectly signals the klogd daemon and kills it. This new update also upgrades the openldap package to version 1.2.11 which fixes some bugs in the 1.2.10 release. http://www.linuxsecurity.com/advisories/other_advisory-576.html ----------------------- Top Articles This Week: ----------------------- Host Security News: ------------------- * Grey-hat hacking July 24th, 2000 Enterprises hiring reformed crackers to expose their soft underbellies will only add to the more than $2.6 trillion lost worldwide annually because of security intrusions, warns professional services firm PricewaterhouseCoopers. The shift from business-to-consumer (B2C) to business-to-business (B2B) marketplaces could accelerate this trend at exponential rates. http://www.linuxsecurity.com/articles/hackscracks_article-1192.html * Forensics July 24th, 2000 This article describes the actions taken to investigate an actual security breach. http://www.linuxsecurity.com/articles/host_security_article-1187.html Network Security News: ---------------------- * Debate erupts over disclosure of software security holes July 28th, 2000 In a contentious keynote speech that created an uproar at the Black Hat Briefings security conference here yesterday, security researcher Marcus Ranum charged that the full disclosure of software vulnerabilities isn't improving computer security. Instead, Ranum said, it only encourages attacks by what he called "armies of script kiddies." Many security experts and corporate users believe that publicizing software flaws will improve security by forcing software vendors to improve the quality of their products and to quickly fix potentially damaging bugs - a point that was reiterated by several audience members and other speakers at the Black Hat conference. http://www.linuxsecurity.com/articles/hackscracks_article-1229.html * Study: Internet's structure vulnerable to organized attack July 28th, 2000 The Internet's reliance on a few key nodes makes it especially vulnerable to organized attacks by hackers and terrorists, according to a new study on the structure of the worldwide network. http://www.linuxsecurity.com/articles/general_article-1221.html * Denial-of-service threat gets engineering community's attention July 27th, 2000 The Internet engineering community is developing technology that promises to minimize the damage these hacker attacks cause by quickly identifying the computer systems where they originate. The Internet Engineering Task Force (IETF) last week launched a working group to develop ICMP Traceback Messages, which would let network managers discover the path that packets take through the Internet. http://www.linuxsecurity.com/articles/network_security_article-1211.h tml * Apache Guide: Apache Authentication, Part 1 July 24th, 2000 In this article, I'm going to cover the standard way of protecting parts of your Web site that most of you are going to use. In the next part I'll talk about using databases, rather than text files, to contain your user and group information. Somewhere in here I'll talk about using things other than usernames and passwords to protect your web site from "intruders"--such as the IP address of the visitor. http://www.linuxsecurity.com/articles/server_security_article-1191.ht ml * Linux Networking: Using Ipchains July 24th, 2000 The article examines the basic concepts pertaining to routing, network address translation (NAT), firewalls, and a program called ipchains. Individual sections address each concept. The last section combines the basics into a sample configuration for linking a local network to the Internet. http://www.linuxsecurity.com/articles/network_security_article-1189.h tml Cryptography News: ------------------ * Digital Signatures and Stolen Automobiles July 28th, 2000 Digital signatures require extensive safekeeping. Unlike passwords, you can't store them in your head. The number sequence is too long. You have to store the signature on a smart card, keep it on your hard drive, or carry it around on a disk. Since the signature depends upon non-repudiation as the key selling point, you better not let anyone else get his or her hands on it. Figuring ways to protect your digital signature from your teenager, your estranged spouse, a crazy love interest, or a housekeeper may be a challenge. http://www.linuxsecurity.com/articles/host_security_article-1226.html * Default Passwords and What You Can Do About Them July 28th, 2000 This is a huge problem because companies buy lots and lots of hardware and software that they need to deploy quickly. This often results in minimal configuration effort being made, and the default passwords are usually left in, due to carelessness, or for the simple fact that the people installing it don't know (hardware vendors like 3Com have placed backdoors in hardware so that they can help the customer recover) http://www.linuxsecurity.com/articles/network_security_article-1227.h tml Vendor/Product/Tools News: -------------------------- * Linux developers hunt for kernel bugs July 27th, 2000 Linux developers have begun an ambitious project to identify security problems with the open source operating system before they trouble end users. The Linux Kernel Auditing Project is an attempt to audit the Linux kernel for any security holes. The project also aims to educate Linux developers on how to write code securely and thereby stay ahead of crackers in creating a secure operating environment. http://www.linuxsecurity.com/articles/projects_article-1210.html * New Security Audits Radically Reduce Cost of Securing Your Website July 24th, 2000 SecuritySpace.com, http://www.SecuritySpace.Com, a leading security portal, today launched the Desktop Security Audit, a new tool that will radically reduce the cost of finding and fixing website and PC-based security holes. http://www.linuxsecurity.com/articles/vendors_products_article-1188.h tml General News: ------------- * LinuxSecurity.com Releases the LinuxSecurity Quick Reference Card July 28th, 2000 This Quick Reference Card is intended to provide a starting point for improving the security of your system. Contained within include references to security resources around the net, tips on securing your Linux box, and general security information. http://www.linuxsecurity.com/articles/documentation_article-1208.html * A hacker in a white hat July 26th, 2000 My local county newspaper has a story on Brian Martin from attrition.org. "A recent news release describing Brian Martin awards him a most unusual title: ex-hacker. Martin, a thin young man with a wide smile, laughs at the characterization but doesn't dispute it. The security consultant says he used to run with a group of teens and twentysomethings in Denver who would spend their free time "hacking" (breaking into computer systems) and "phreaking" (breaking into phone systems) when they weren't frequenting clubs and bars." http://www.linuxsecurity.com/articles/general_article-1205.html * US downplays wiretap risks July 26th, 2000 United States officials are trying to calm concerns about a new FBI internet-wiretapping system called Carnivore, describing it as a "small-scale device" and insisting that fears of broad online surveillance are exaggerated. Carnivore allows US law enforcement agencies to find and follow the e-mails of a criminal suspect among the flood of other data passing through an internet service provider. http://www.linuxsecurity.com/articles/privacy_article-1202.html * Online Privacy 101 July 25th, 2000 The nonprofit advocacy group that has stamped its privacy seal of approval on nearly 2,000 Web sites will team up with a dozen major Internet companies to launch a consumer education campaign. TRUSTe plans to announce its "Privacy Partnership 2000 Campaign" on Tuesday morning. The goal is to educate online consumers about privacy issues and individual rights through newspaper, radio and Internet advertising. http://www.linuxsecurity.com/articles/privacy_article-1196.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV@SecurityFocus.com with a message body of "SIGNOFF ISN".