Date: Mon, 12 Jun 2000 02:10:23 -0400 (EDT)
From: newsletter-admins@linuxsecurity.com
To: newsletter@linuxsecurity.com
Subject: Linux Security Week June 12, 2000
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 12, 2000 Volume 1, Number 7 |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading LinuxSecurity.com's weekly security newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's most relevant Linux security headlines and system advisories.
A very serious Linux kernel security bug was recently discovered that
allows local users to gain root access. The problem exists in the Linux
kernel capability model that affects all 2.2.x kernels. To ensure that
this vulnerability cannot be exploited by programs running on Linux, users
are advised to update to kernel version 2.2.16 immediately.
Security updates for KDE, inn, mailx and qpop were all issued by many
vendors. Some vendors also reported vulnerabilities with a flaw in the SSL
transaction handling of Netscape. Keep in mind that simply because your
vendor has not released an update that another vendor may have does not
mean your system is not vulnerable.
Recently added to the site is the WebTrends Security Analyzer. The
WedTrends Security Analyzer has the most vulnerability tests for Red Hat &
VA Linux. Using advanced agent-based technology, you can scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.
http://www.webtrends.com/redirect/linuxsecurity1.htm
--------------------------------------
Linux Security Week Index:
Advisories:
June 10th,2000 - Conectiva: Security problems with capabilities
June 9th, 2000 - Caldera: Netscape SSL vulnerability
June 9th, 2000 - SuSE 6.x: qpop vulnerability
June 8th, 2000 - Caldera: serious bug in setuid()
June 8th, 2000 - Linux Kernel 2.2.x: Local users obtain root
June 8th, 2000 - Conectiva: gpm Remote buffer overflow
June 8th, 2000 - BRU: local root exploit vulnerability
June 8th, 2000 - FreeBSD: ssh port listens
June 8th, 2000 - FreeBSD: apsfilter
June 8th, 2000 - Linux Kernel Security Bug Discovered
June 8th, 2000 - Solar Designer's OpenWall Kernel Patch
June 8th, 2000 - BSD Based Operating Systems: IPCS
June 7th, 2000 - Conectiva: cdrecord buffer overflow
June 7th, 2000 - Caldera: buffer overflow in inn
June 7th, 2000 - RedHat 6.x: kdelibs vulnerability
June 6th, 2000 - Conectiva: INN Vulnerability
June 6th, 2000 - Caldera: kdelibs vulnerability
June 5th, 2000 - Debian: mailx local exploit
Firewall News:
June 8th, 2000 - Dialup firewalling with FreeBSD Linux Host Security:
June 8th, 2000 - Delegating superuser tasks with sudo
June 8th, 2000 - Linux security classes
June 7th, 2000 - How To Eliminate The Ten Most Critical Threats
June 7th, 2000 - A Capabilities Based Operating System
Linux Server Security:
June 9th, 2000 - The Soothingly Seamless Setup of Apache, SSL
June 8th, 2000 - Linux 101: Basic network security
June 7th, 2000 - Security scare as outsiders get access passwords
June 7th, 2000 - Bastille Linux: A Walkthrough
June 7th, 2000 - Is Linux a net security risk?
June 6th, 2000 - Hardening Linux Machines For Web Services
Cryptography:
June 8th, 2000 - OpenSSH 2.2.1 Released
June 6th, 2000 - U.S. To Follow EU Crypto Lead
June 6th, 2000 - Encryption: Where Next?
June 5th, 2000 - Cryptography and Security Vendors/Products/Tools:
June 9th, 2000 - WetStone Technologies Releases SMART Watch
June 9th, 2000 - Linux Kernel Auditing Project
June 8th, 2000 - OpenSSH v2.2.1 Released
June 6th, 2000 - SSH Version 2.2 Released
June 5th, 2000 - Secure open source Web server debuts at Linux expo
Community News:
June 9th, 2000Linux Kernel Auditing Project
June 7th, 2000 - Infosec Outlook June 2000
June 7th, 2000 - The Arash Baratloo
June 7th, 2000 - Security is Important, and so is OS
June 6th, 2000 - Biometrics: More than a helping hand
June 6th, 2000 - Security Firm to List Additional Threats
June 5th, 2000 - A Data Sanctuary Is Born
Advisories this Week:
June 10th, 2000
Conectiva: Security problems with capabilities
The 2.2.x series of the linux kernel implement capabilities. Capabilites
can be used to restrict what the root user can do. Many privileged
programs, such as SUID programs, drop root privileges before taking
certain action, such as executing an user supplied program.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-480.html
June 9th, 2000
Caldera: Netscape SSL vulnerability
There are some flaws in the SSL transaction handling of Netscape Version
4.72 which could compromise encrypted SSL sessions.
http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-479.html
June 9th, 2000
SuSE 6.x: qpop vulnerability
An attacker could send a mail with a malicously formated mail header to a
person, that reveives it's mail via qpop 2.53, to execute code with the
privileges of user 'mail' at the qpop server.
http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-478.html
June 8th, 2000
Caldera: serious bug in setuid()
There is a serious vulnerability in the Linux kernel that allows local
users to obtain root privilege by exploiting certain setuid root
applications.
http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-477.html
June 8th, 2000
Linux Kernel 2.2.x: Local users can obtain root privileges
A bug in the kernel capability model allows local users to obtain root
privileges. All users should upgrade to kernel 2.2.16. Vendor kernel
releases will be coming out shortly.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-476.html
June 8th, 2000
Conectiva: gpm Remote buffer overflow
The gdm program is on of the graphical login choices available for
Conectiva Linux users. A serious vulnerability has been found in this
program during the XDMCP protocol processing that could lead to remote
root compromise.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-475.html
June 8th, 2000
BRU: local root exploit vulnerability
To prevent BRU from being exploited and offering root privileges, the
binary file's privileges should be changed to 0550.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-484.html
June 8th, 2000
FreeBSD: ssh port listens
A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly configured
the SSH daemon to listen on an additional network port, 722, in addition
to the usual port 22. This change was made as part of a patch to allow the
SSH server to listen on multiple ports, but the option was incorrectly
enabled by default.
http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-474.html
June 8th, 2000
FreeBSD: apsfilter
The apsfilter port, versions 5.4.1 and below, contain a vulnerability
which allow local users to execute arbitrary commands as the user running
lpd, user root in a default FreeBSD installation. The apsfilter software
allows users to specify their own filter configurations, which are read in
an insecure manner and may be used to elevate privileges.
http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-473.html
June 8th, 2000
Linux Kernel Security Bug Discovered
A serious bug has been discovered in the Linux kernel that can be used by
local users to gain root access. The problem, a vulnerability in the Linux
kernel capability model, exists in kernel versions up to and including
version 2.2.15. According to Alan Cox, a key member of the Linux developer
community, "It will affect programs that drop setuid state and rely on
losing saved setuid, even those that check that the setuid call
succeeded."
To ensure that this vulnerability cannot be exploited by programs running
on Linux, Linux users are advised to update to kernel version 2.2.16
immediately. Information on "capabilities" are discussed in the
Capabilities FAQ. We also recently ran a story on a capabilities-based
operating system that is worth reading.
http://www.linuxsecurity.com/articles/server_security_article-831.html
ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt
June 8th, 2000
Solar Designer's OpenWall Kernel Patch
Solar's kernel security enhancement patch is now available for the
recently-released 2.2.16 Linux kernel. "This patch is a collection of
security-related features for the Linux kernel, all configurable via the
new 'Security options' configuration section. In addition to the new
features, some versions of the patch contain various security fixes. The
number of such fixes changes from version to version, as some are becoming
obsolete (such as because of the same problem getting fixed with a new
kernel release), while other security issues are discovered."
http://www.linuxsecurity.com/articles/projects_article-839.html
June 8th, 2000
BSD Based Operating Systems: IPCS Vulnerability
This advisory is for all 386BSD-derived OSes, including all versions of
FreeBSD, NetBSD and OpenBSD. "An unprivileged local user can cause every
process on the system to hang during exiting. In other words, after the
system call is issued, no process on the system will be able to exit
completely until another user issues the "unblock" call or the system is
rebooted. This is a denial-of-service attack."
http://www.linuxsecurity.com/articles/server_security_article-832.html
June 7th, 2000
Conectiva: cdrecord buffer overflow
The cdrecord program has a buffer overflow problem in the processing of
the command-line argument "dev=". By exploring this vulnerability, a local
user could make the program execute arbitrary commands. Conectiva Linux
doesn't ship this binary with the SUID or SGID bits turned on. So, the
vulnerability's extent is greatly reduced, not having the effect of
granting higher user privileges.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-472.html
June 7th, 2000
Caldera: buffer overflow in inn
There is a buffer overflow in the handling of control articles in some
configurations of the InterNet News package (INN). This lets malicious
attackers tailor control message that might give them access to the local
'news' account.
http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-471.html
June 7th, 2000
RedHat 6.x: kdelibs vulnerability
In kdelibs 1.1.2, there are security issues with the way some applications
perform when they are run suid root. The only application vulnerable is
kwintv from Powertools. With our PAM configuration, the suid bit for
kwintv is not necessary.
http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-470.html
June 6th, 2000
Conectiva: INN Vulnerability
An update to the INN package has been released for the Conectiva
distribution that fixes a buffer overflow.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-469.html
June 6th, 2000
Caldera: kdelibs vulnerability
There is a very serious vulnerability in the way KDE starts applications
that allows local users to take over any file in the system by exploiting
setuid root KDE application.
http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-468.html
June 5th, 2000
Debian: mailx local exploit
The version of mailx distributed in Debian GNU/Linux 2.1 (a.k.a. slink),
as well as in the frozen (potato) and unstable (woody) distributions is
vulnerable to a local buffer overflow while sending messages. This could
be exploited to give a shell running with group "mail".
http://www.linuxsecurity.com/advisories/advisory_documents/debian_advisory-467.html
Firewall News:
June 8th, 2000
Dialup firewalling with FreeBSD
This article documents how to setup a firewall using a PPP dialup with
FreeBSD and IPFW, and specifically with firewalling over a dialup with a
dynamically assigned IP address. It does not cover how to setup a standard
PPP connection.
http://www.linuxsecurity.com/articles/firewalls_article-840.html
Linux Host Security:
June 8th, 2000
Delegating superuser tasks with sudo
"Instead of just handing out your root password to various users or
beginning sys-admins or changing numerous programs as set uid root (to run
as root), you can use sudo (which stands for "superuser do") to allow them
to run certain commands as the super user (or as another user). Using sudo
is also an idea for running scripts as another user since setting the suid
bit for scripts does not work."
http://www.linuxsecurity.com/articles/host_security_article-842.html
June 8th, 2000
Linux security classes
This article discusses a bit of history of security company ISS, its
founder, and the new Linux security classes they are offering. "Internet
Security Systems will offer classes in Linux security. Take a look at the
founder's background in network security and at the company's origins."
http://www.linuxsecurity.com/articles/forums_article-834.html
June 7th, 2000
How To Eliminate The Ten Most Critical Internet Security Threats
This SANS document takes their list of the top ten vulnerabilities one
step further by actually providing steps and advice on eliminating the
threats. "Here is the experts list of the Ten Most Often Exploited
Internet Security Flaws along with the actions needed to rid your systems
of these vulnerabilities."
http://www.linuxsecurity.com/articles/security_sources_article-824.html
June 7th, 2000
A Capabilities Based Operating System
In this article, Kurt Seifried discusses various insecurities that are
common in operating systems and the applications that accompany them.
"There's been a lot of security advisories in the last few weeks, with
some pretty major problems. There were even some nasty kernel level
problems in several operating systems, allowing users to do all sorts of
bad things (like hang any program on the system once it exits, or execute
a local denial of service by slamming the ports). Even if you managed to
squish every bug you could find, you would still not have a bug free
system (because you are not going to find all the bugs). A good example of
this is OpenBSD."
http://www.linuxsecurity.com/articles/host_security_article-821.html
Linux Server Security:
June 9th, 2000
The Soothingly Seamless Setup of Apache, SSL, MySQL, and PHP
This article discusses the use of mod_ssl, OpenSSL, RSARef, MySQL and PHP
to develop a secure web server. "Our objective is to install a web server
that will allow us to host sites, that would be secure for e-commerce
solutions, and that could be driven via scripts to connect to a database
server and extract its data."
http://www.linuxsecurity.com/articles/server_security_article-850.html
June 8th, 2000
Linux 101: Basic network security
Here is a nice little article that can help you get started in security.
"Linux security can be as simple or as advanced as you want. A Linux
system can be locked down (relatively speaking) with a simple one-two
punch of /etc/hosts.deny and /etc/hosts.allow, or you can go as far as
running a strong ipchain-style firewall ruleset and PortSentry.
http://www.linuxsecurity.com/articles/network_security_article-841.html
June 7th, 2000
Security scare as outsiders get access to NetBSD software password
Developers of the NetBSD open source operating system say a recent
security breach did not compromise the software's source code. NetBSD
developer and project spokesman Charles Hannum has confirmed that a key
developer's password was "discovered" by outsiders. The password would
have given hackers the opportunity to impersonate Paul Vixie, a leading
developer with the right to make changes to the source code for the
software, although not directly.
http://www.linuxsecurity.com/articles/server_security_article-830.html
June 7th, 2000
Bastille Linux: A Walkthrough
This article presents a walkthrough of Bastille Linux, a popular hardening
program for Red Hat and Mandrake, available for free from Jon Lasser, Pete
Watkins, myself, and the rest of the Bastille Linux project. This
walkthrough won't be the kind of "paranoid" setup that I enjoy most, as
that could remove too much functionality for the average reader. Don't
worry - I'll explain what we'll break in each setting, how we'll break it,
and how you can fix it. But first, a shameless plug: I'll let you know
about the cool features in the newest Bastille version, which we've just
released.
http://www.linuxsecurity.com/articles/projects_article-827.html
June 7th, 2000
Is Linux a net security risk?
A SANS Institute of America report has named Linux and Unix operated sites
as more vulnerable to internet attacks than Windows and Mac powered sites.
Compiled by US industry, government, and academics, the June 1 paper,
titled How to Eliminate the Ten Most Critical Internet Security Threats:
The Experts' Consensus, names versions of Unix and Linux systems in nine
out of a "top ten" list of security vulnerabilities for operating systems
that engineers "need to eliminate". Dean Stockwell, director of sales and
support, Network Associates Asia-Pacific, dismissed SANS's report as
"skewed".
http://www.linuxsecurity.com/articles/network_security_article-826.html
June 6th, 2000
Hardening Linux Machines For Web Services
This is a introductory article on securing your Linux server. It starts
with physical security then briefly discusses network security. "Your
objective is to add as many rings or layers as possible, making the
potential cracker take more time to get in (and increasing the chance of
you noticing and stopping him before he roots you.)"
http://www.linuxsecurity.com/articles/server_security_article-816.html
Cryptography:
June 8th, 2000
OpenSSH v2.2.1 Released
A new version of OpenSSH has been released. Version 2.2.1 fixes a few
usability bugs and a security feature not enabled by default. OpenSSH is a
freely-available implementation of Secure Shell, a telnet/ftp/rlogin
replacement that provides strong authentication and encryption.
http://www.linuxsecurity.com/articles/cryptography_article-837.html
June 6th, 2000
U.S. To Follow EU Crypto Lead
When the EU meets on June 13th, crypto in the US could be a different
story shortly thereafter. "If the European Union votes next week to relax
encryption regulations, the United States says it will take similar steps.
Commerce Department Undersecretary William Reinsch said Monday that any
change, designed to make sure American high-tech companies aren't
disadvantaged, will have to wait until the Europeans reach a decision."
http://www.linuxsecurity.com/articles/cryptography_article-817.html
June 6th, 2000
Encryption: Where Next?
This SC Mag article discusses the history of crypto, the current
controversy over exportation, info on the new crypto standard emerging,
and "Crystal Ball" predictions. "The business arguments (for e-business)
are important and irresistible. The challenge is for the business world to
find the way to use the technology more safely than they can right now."
Cryptography devices will be embedded in modems, cable modems, cellular
phones and more, when applied to lower-value transactions, he adds.
Higher-value dealings will warrant stronger protection, negating the
possibility of software solutions and their inherent limitations. Simply
put, he explains further, business transactions need new, stronger
algorithms."
http://www.linuxsecurity.com/articles/cryptography_article-815.html
June 5th, 2000
Cryptography and Security
Here is a good paper that gives readers a basic understanding of
cryptography. "Cryptography addresses one specific security-related
requirement, and does so superbly: protecting a message or a file from
being read by an eavesdropper who has no other means of access to either
the original text of what is protected, or the key with which it is
encrypted. At one time, cryptography wasn't as effective as this: during
World War II, only a few systems, other than one-time pads, remained
unbroken, primarily the top-level systems used by the Allies. But today,
personal computers have made it trivial to use very elaborate methods of
encryption: whether or not major governments can break them, it is easy
enough to be sure that hackers cannot."
http://www.linuxsecurity.com/articles/cryptography_article-805.html
Tools/Vendors/Products:
June 9th, 2000
WetStone Technologies Releases SMART Watch Version 3.0
SMART Watch, a Preemptive Hacker Defense Tool and host based intrusion
detection system detects when key "Watched" Files or Directories have been
maliciously or accidentally altered. SMART Watch can automatically &
immediately restore the damage to system resources upon detection, thus
providing uninterrupted system operation.
http://www.linuxsecurity.com/articles/vendors_products_article-847.html
June 8th, 2000
SecureNet PRO v3.0.7 Released
Version 3.0.7 of the SecureNet PRO Network Intrusion Detection and
Monitoring suite is now available! SecureNet PRO is an enterprise-scalable
security platform offering advanced custom protocol decoding, real-time
monitoring and intrusion response features not found in other product
offerings.
http://www.linuxsecurity.com/articles/vendors_products_article-836.html
June 6th, 2000
SSH Version 2.2 Released
"SSH Secure Shell is the recognized de-facto standard for secure remote
administration and secure file transfers over the Internet."
http://www.linuxsecurity.com/articles/vendors_products_article-813.html
June 5th, 2000
Secure open source Web server debuts at Linux expo
Computer security firm C2Net announced the release of the new open source
Stronghold Secure Web server at the European Linux Expo in London, Friday.
The product from this US-based company is based on the open source Apache
Web server and features 128-bit encryption. Open Source software enabling
secure Web transactions contradicts the assumption that access to source
code weakens security.
http://www.linuxsecurity.com/articles/vendors_products_article-804.html
Community News:
June 9th, 2000
Linux Kernel Auditing Project
Brian Paxton writes, "It's an attempt to audit the linux kernel for any
security vulnerabilities and/or holes and/or possible vulnerabilities
and/or possible holes, and of course without adding more bugs or drawbacks
to the existing kernels. The suggested kernels to be audited are 2.0.x
kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series.
The group and it's work shall be dealt and worked with via a mailing
list."
http://www.linuxsecurity.com/articles/projects_article-844.html
June 7th, 2000
Infosec Outlook June 2000
This CERT article talks about current trends and concerns in computer
security today. Included are topics on liability for attacks,
Internet-focused insurance policies, comments on virus prevention, "Safe
computing tips" and more. "Intrusions are going to happen; it's
inevitable. Administrators, their managers, and senior executives all need
to know what they're up against so that they are better equipped to deal
with attacks and be aware of what intruders are doing. Because attack
techniques and tools are constantly changing, we must maintain constant
vigilance."
http://www.linuxsecurity.com/articles/security_sources_article-825.html
June 7th, 2000
The Arash Baratloo
Here is an interview with the authors of Libsafe..."Arash Baratloo and
Navjot Singh two of the primary developers for Libsafe, a free software
library that protects against security exploits based on buffer overflow
vulnerabilities. They work as members of the Network Software Research
Department at Bell Labs, the R&D arm of Lucent Technologies."
http://www.linuxsecurity.com/articles/projects_article-823.html
June 7th, 2000
Security is Important, and so is Open Source
This article questions open source security and the "security" reputation
that it has earned. "Is this reputation deserved? And more to the point
can it be maintained? However, some people wonder just how secure these
and other "open" systems really are. How can a product whose source code
is freely available to anyone who wants it, including people up to no
good, be as secure as a product developed in a traditional and highly
secret environment? How can secure development take place in an
environment where no one is accountable, where the ruling ethos is that
"many eyes" are more accountable than a proprietary enterprise? "
http://www.linuxsecurity.com/articles/forums_article-822.html
June 6th, 2000
Biometrics: More than a helping hand
An increasing number of agencies and departments are turning to biometrics
to achieve a higher level of security. Biometric devices measure a persons
physical or behavioral characteristics, such as iris patterns, hand
measurements, voice patterns and fingerprints, to ensure that the person
accessing a device or location is who he or she claims to be. Biometric
traits, unlike passwords and personal identification numbers (PINs),
cannot be lost, stolen or easily duplicated.
http://www.linuxsecurity.com/articles/general_article-811.html
June 6th, 2000
Security Firm to List Additional Threats
The threats listed in the document are just the "tip on the iceberg,"
Nowland said, warning network administrators not to feel safe simply
because they address the 10 concerns outlined by SANS. NETSEC intends next
week to release its own supplemented list of Internet security threats
identified by its in-house team of hackers, Nowland said.
http://www.linuxsecurity.com/articles/network_security_article-810.html
June 5th, 2000
A Data Sanctuary Is Born
Here's a "safe haven" to store info safe from gov't prying eyes... "A
windswept gun tower anchored six miles off the stormy coast of England is
about to become the first Internet data haven. ... It's for "companies
that want to have email servers in a location in which they can consider
their email private and not open to scrutiny by anyone capable of filing a
lawsuit," says Sean Hastings, the 32-year-old chief executive of HavenCo."
http://www.linuxsecurity.com/articles/general_article-808.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------