+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 10, 2000 Volume 1, Number 11 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. This week, several vendors released patches for a denial of service vulnerability in BitchX. It is caused by improper handling of incoming invitation messages. Any user on IRC can send the client an invitation message that causes BitchX to segfault. Patches were also released for man. The problem exists because the makewhatis portion of the man package uses files in /tmp in an insecure fashion. It was possible for local users to exploit this vulnerability to modify files that they normally could not. If you're running FreeBSD, it is now a good time update your system. Patches for majordomo, openSSH, libedit, popper, wu-ftpd, canna, XFree86. and BitchX were released. http://www.linuxsecurity.com/advisories/freebsd.html In the news, the article "Securing Sendmail" provides helpful information for users wishing to tighten sendmail's security. Sections include: general security, tuning sendmail for security, file and directory modes, restrictive file access, and other tips for the truly paranoid. This is an overall well written paper that can provide much benefit. Our feature this week, "Security is Not a Luxury Anymore for Small Business," by Andrew Kaufman of LinuxSolve.net discusses the short-sighted thinking that is prevalent in many companies that do not put in place effective security measures. He points out that many new companies often regard security as a "Luxury," or 'something down the road, when time permits.' Thinking in this manner is a harmful risk to any type of organization. http://www.linuxsecurity.com/feature_stories/feature_story-58.html Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version Available: http://www.linuxsecurity.com/articles/forums_article-1081.html --------------------- Advisories This Week: --------------------- * Mandrake: BitchX update July 8th, 2000 A denial of service vulnerability exists in BitchX. Improper handling of incoming invitation messages can crash the client. Any user on IRC can send the client an invitation message that causes BitchX to segfault. http://www.linuxsecurity.com/advisories/mandrake_advisory-542.html * Caldera: makewhatis vulnerability July 7th, 2000 There is a problem in the way the makewhatis script, which is run daily to rebuild the database used by the whatis(1) command, handles temporary files. This can be exploited by local users to corrupt arbitrary files on the system. http://www.linuxsecurity.com/advisories/caldera_advisory-539.html * Caldera: Denial of Service against irc-BX July 7th, 2000 The IRC client irc-BX (otherwise known as B*tchX) will accept bogus data from other IRC users that causes it to crash, and possibly even to execute malicious code. An exploit has been published that will result in a crash of the IRC client. http://www.linuxsecurity.com/advisories/caldera_advisory-540.html * Mandrake: man vulnerability July 7th, 2000 Local users may gain a variety of privileges depending on the complexity of the exploit. The mode of any file on the system can be changed to 0700. Any file on the system may be created or overwritten as root. Local users may also be able to read any system file by forcing a copy of it into the whatis database. http://www.linuxsecurity.com/advisories/mandrake_advisory-537.html * Mandrake: inn vulnerability July 7th, 2000 A vulnerability exists when verifycancels is enabled in /etc/news/inn.conf. This vulnerability could be used to gain root access on any system with inn installed http://www.linuxsecurity.com/advisories/mandrake_advisory-538.html * Conectiva: BitchX vulnerability July 7th, 2000 The irc client BitchX can be taken down remotely by inviting the user to a channel with format strings in its name. By receiving the invitation, BitchX will crash immediately. http://www.linuxsecurity.com/advisories/other_advisory-541.html * FreeBSD: Majordomo vulnerability July 6th, 2000 Unprivileged local users can run commands as the 'majordomo' user, including accessing and modifying mailing-list subscription data. http://www.linuxsecurity.com/advisories/freebsd_advisory-532.html * FreeBSD: OpenSSH root vulnerability July 6th, 2000 The sshd server is typically invoked as root so it can manage general user logins. OpenSSH has a configuration option, not enabled by default ("UseLogin") which specifies that user logins should be done via the /usr/bin/login command instead of handled internally. http://www.linuxsecurity.com/advisories/freebsd_advisory-533.html * FreeBSD: libedit vulnerability July 6th, 2000 An attacker can cause a user to execute arbitrary commands within a program which is run from a directory to which the attacker has write access, potentially leading to system compromise if run as a privileged user (such as root). http://www.linuxsecurity.com/advisories/freebsd_advisory-534.html * FreeBSD: popper port contains remote vulnerability July 6th, 2000 The popper port, version 2.53 and earlier, incorrectly parses string formatting operators included in part of the email message header. A remote attacker can send a malicious email message to a local user which can cause arbitrary code to be executed on the server when a POP client retrieves the message using the UIDL command. http://www.linuxsecurity.com/advisories/freebsd_advisory-535.html * FreeBSD: wu-ftpd port contains remote root compromise July 6th, 2000 The wu-ftpd port, versions 2.6.0 and below, contains a vulnerability which allows remote anonymous FTP users to execute arbitrary code as root on the local machine, by inserting string-formatting operators into command input, which are incorrectly parsed by the FTP server. http://www.linuxsecurity.com/advisories/freebsd_advisory-528.html * FreeBSD: Canna port remote vulnerability July 6th, 2000 The Canna server contains an overflowable buffer which may be exploited by a remote user to execute arbitrary code on the local system as user 'bin'. http://www.linuxsecurity.com/advisories/freebsd_advisory-529.html * FreeBSD: XFree86-4.0 port contains local root overflow July 6th, 2000 XFree86 4.0 contains a local root vulnerability in the XFree86 server binary, due to incorrect bounds checking of command-line arguments. http://www.linuxsecurity.com/advisories/freebsd_advisory-530.html * FreeBSD: bitchx port contains client-side vulnerability July 6th, 2000 The bitchx client incorrectly parses string-formatting operators included as part of channel invitation messages sent by remote IRC users. This can cause the local client to crash, and may possibly present the ability to execute arbitrary code as the local user. http://www.linuxsecurity.com/advisories/freebsd_advisory-531.html * RedHat: BitchX denial of service vulnerability July 6th, 2000 A denial of service vulnerability exists in BitchX. Improper handling of incoming invitation messages can crash the client. Any user on IRC can send the client an invitation message that causes BitchX to segfault. http://www.linuxsecurity.com/advisories/redhat_advisory-536.html * RedHat: man 'makewhatis' vulnerability July 4th, 2000 The makewhatis portion of the man package used files in /tmp in an insecure fashion. It was possible for local users to exploit this vulnerability to modify files that they normally could not and gain elevated privilege. http://www.linuxsecurity.com/advisories/redhat_advisory-525.html * RedHat PowerTools: Multiple local imwheel vulnerabilities July 4th, 2000 Multiple local vulnerabilities exist in imwheel. Read access violations where there is no checking of the file itself, it follows a symlink blindly. Perl wrapper might allow other users on the machine to kill the imwheel process. http://www.linuxsecurity.com/advisories/redhat_advisory-524.html ----------------------- Top Articles This Week: ----------------------- Host Security News: ------------------- * Securing Sendmail July 6th, 2000 This two-part series on securing sendmail, based on the tutorial given by Eric Allman and Greg Shapiro at the recent USENIX technical conference in San Diego, begins by detailing the measures you can take to secure any sendmail installation. http://www.linuxsecurity.com/articles/network_security_article-1054.html * Comment: Securing Web connections July 6th, 2000 SSH is an encrypted connection to a remote host running an SSH server. It gives you the ability to log on to a system with an encrypted session so that everything -- your name and password as well as your keystrokes -- are unreadable by any sniffer. http://www.linuxsecurity.com/articles/network_security_article-1057.html Network Security News: ---------------------- * CERT/CC Current Activity July 7th, 2000 Just a note to remind everyone that CERT has updated their current activity list. The wu-ftpd, bind NXT, and port scan reports are increasing and should be taken seriously. Learn to recognize the signatures of these attacks, and ensure you are protected. http://www.linuxsecurity.com/articles/security_sources_article-1070.html * KPMG releases white paper on cybercrime July 5th, 2000 A new report on e-commerce and cybercrime provides tips for governments to consider in order to prevent security breaches. The white paper, "E-Commerce and Cyber Crime: New Strategies for Managing the Risks of Exploitation," focuses on businesses, but the issues are applicable to governments too. http://www.linuxsecurity.com/articles/government_article-1040.html * How to protect your network July 5th, 2000 ParaProtect, a network security portal in Alexandria, Va., reports that 90 percent of the security breaches its technicians work on are based on attacks from within. Even more shocking is that upwards of 50 percent are caused by the company's own network administrators. So what can you do to protect your network? Here's a list of tips culled from industry analysts, security experts, corporate executives and agents of the U.S. Secret Service. http://www.linuxsecurity.com/articles/network_security_article-1050.html Cryptography News: ------------------- * Crypto Users Can't See FBI.gov July 8th, 2000 Is the FBI blocking privacy-equipped browsers from its website? The question goes unanswered a week after users of a commercial privacy service found themselves unable to access the Federal Bureau of Investigation's fbi.gov site. http://www.linuxsecurity.com/articles/cryptography_article-1079.html * GlobalNet Adds Philip Zimmermann, Authority on Encryption, to its Board Of Directors July 7th, 2000 GlobalNet, Inc. today announced it has added one of the nation's top authorities on encryption to its board of directors. Philip R. Zimmermann, senior fellow at Network Consultants and founder of PGP, Inc., which produced Pretty Good Privacy, the most widely used email encryption software in the world, has been elected to fill an open position on GlobalNet's board of directors. http://www.linuxsecurity.com/articles/general_article-1075.html * Diffie-Hellman Key Exchange July 6th, 2000 A colleague recently asked if I could help him understand the Diffie-Hellman key exchange protocol... without digging through the math. My answer was "Yes I can, but not easily." Doing so requires a few diagrams because, in this particular case, a picture is worth at least a thousand words! http://www.linuxsecurity.com/articles/cryptography_article-1055.html * PGP patch prevents remote server crash July 4th, 2000 A recent report by the Underground Security Systems Research group identifies a weakness in the PGP Certificate Server code that can allow a malicious user to crash the authentication server. Network Associates has released a patch that prevents this particular vulnerability. With testing help from KeyLabs, BugNet was able to validate this bug. http://www.linuxsecurity.com/articles/cryptography_article-1032.html Vendor/Product/Tools News: --------------------------- * Security Agency Selects Secure Computing to Provide Enforcement July 7th, 2000 Here's an older announcement from Secure Computing, but serves as a precursor to a shortly forthcoming interview with their senior corporate members. "Secure Computing Corporation announced that it has been awarded a sole source contract by the National Security Agency (NSA) to develop a Secure Linux Operating System (OS). http://www.linuxsecurity.com/articles/vendors_products_article-1072.html * Secure Computing Announces Availability of SafeWord on Linux July 6th, 2000 Secure Computing Corporation, from the RSA Conference 2000, today announced first customer availability of SafeWord, the leading scalable authentication solution in the industry, on the Linux operating system (OS). Traditionally, SafeWord running on the UNIX platform has a history of being the highest performing, most robust and scalable authentication solution available. http://www.linuxsecurity.com/articles/vendors_products_article-1066.html * Fingerprint scanning for smartcards July 5th, 2000 The promise of combining fingerprint recognition with smartcards is now a step closer to being fulfilled. Norman Data Defense Systems -- one of the companies working on smartcard data security systems with Siemens and others -- announced it has succeeded in combining the two security systems by putting fingerprint recognition directly onto a smartcard. http://www.linuxsecurity.com/articles/vendors_products_article-1041.html * 3Com Introduces Layer 3 Wireless LAN Security Solution July 5th, 2000 3Com Corporation announced a simple yet powerful solution for securing data transmitted over a wireless local area network (LAN). The company's wireless secure tunneling solution adds seamless Layer 3 tunneling, authentication and encryption to the 3Com AirConnect 11Mbps Wireless LAN to address the needs of commercial customers who must deliver secure wireless connectivity to hundreds or thousands of users. http://www.linuxsecurity.com/articles/vendors_products_article-1051.html * Medusa DS9 Security System July 4th, 2000 An administrator can create his own security model, which can complete or override the original UNIX model. I have told you the principle is simple; however, the actual implementation is a bit complicated. If you are interested in how, see Resources. http://www.linuxsecurity.com/articles/vendors_products_article-1030.html * Security Threats from the Gadgets July 3rd, 2000 Personal Digital Assistants, such as PalmPilots and Pocket PCs, pose a security threat for a number of reasons: they are relatively new; their small size and low cost make them easy to obtain and difficult to control; they have tremendous connectivity and storage capabilities; and most of all, they are extremely popular. http://www.linuxsecurity.com/articles/network_security_article-1024.html General News: -------------- * U.S./Europe privacy deal sent back for more talks July 7th, 2000 A month after the 15 member nations of the European Union approved a proposed set of data-privacy rules for U.S. companies that do business in those countries, the European Parliament yesterday voted to send the so-called safe harbor agreement back to the negotiating table. http://www.linuxsecurity.com/articles/privacy_article-1069.html * Deloitte Publishes E-Commerce Security Report July 7th, 2000 Deloitte Touche Tohmatsu (DTT) and the Information Systems Audit and Control Foundation (ISACF) have published a report entitled "E-commerce Security Enterprise Best Practices." The report is the result of worldwide survey of professionals in 46 locations, including Hong Kong, over a period of six months. http://www.linuxsecurity.com/articles/host_security_article-1077.html * Digital Signatures May Quicken Pace of E-Business July 6th, 2000 The law that President Clinton signed last week allowing businesses and consumers to seal a wide variety of legally binding arrangements with electronic rather than handwritten signatures raised the speed limit on e-business development, analysts say. http://www.linuxsecurity.com/articles/cryptography_article-1060.html * P3P: A green light for privacy on the Web? July 6th, 2000 Starting next year, Web sites that violate user privacy are going to find themselves under an embarrassing cyberspotlight. The sites will be targeted by a new technology known as the Platform for Privacy Preferences Project, or P3P. Developed by several companies and privacy advocates in conjunction with the standards-setting World Wide Web Consortium (W3C), the technology will alert surfers whenever they encounter Web sites that seek to collect more data than the user wants to share. http://www.linuxsecurity.com/articles/privacy_article-1056.html * Is Free Software Insecure? July 4th, 2000 Hari writes, "A quite interesting question addressed "which gives better security as a generic model of software development, open source or closed source software?" It goes on to list out some notable myths on the same and comes to a conclusion that there's really no reasonable way of implementing security except by peer review and public scrutiny." http://www.linuxsecurity.com/articles/general_article-1034.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------