Date: Mon, 12 Jun 2000 02:10:23 -0400 (EDT) From: newsletter-admins@linuxsecurity.com To: newsletter@linuxsecurity.com Subject: Linux Security Week June 12, 2000 +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 12, 2000 Volume 1, Number 7 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading LinuxSecurity.com's weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. A very serious Linux kernel security bug was recently discovered that allows local users to gain root access. The problem exists in the Linux kernel capability model that affects all 2.2.x kernels. To ensure that this vulnerability cannot be exploited by programs running on Linux, users are advised to update to kernel version 2.2.16 immediately. Security updates for KDE, inn, mailx and qpop were all issued by many vendors. Some vendors also reported vulnerabilities with a flaw in the SSL transaction handling of Netscape. Keep in mind that simply because your vendor has not released an update that another vendor may have does not mean your system is not vulnerable. Recently added to the site is the WebTrends Security Analyzer. The WedTrends Security Analyzer has the most vulnerability tests for Red Hat & VA Linux. Using advanced agent-based technology, you can scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm -------------------------------------- Linux Security Week Index: Advisories: June 10th,2000 - Conectiva: Security problems with capabilities June 9th, 2000 - Caldera: Netscape SSL vulnerability June 9th, 2000 - SuSE 6.x: qpop vulnerability June 8th, 2000 - Caldera: serious bug in setuid() June 8th, 2000 - Linux Kernel 2.2.x: Local users obtain root June 8th, 2000 - Conectiva: gpm Remote buffer overflow June 8th, 2000 - BRU: local root exploit vulnerability June 8th, 2000 - FreeBSD: ssh port listens June 8th, 2000 - FreeBSD: apsfilter June 8th, 2000 - Linux Kernel Security Bug Discovered June 8th, 2000 - Solar Designer's OpenWall Kernel Patch June 8th, 2000 - BSD Based Operating Systems: IPCS June 7th, 2000 - Conectiva: cdrecord buffer overflow June 7th, 2000 - Caldera: buffer overflow in inn June 7th, 2000 - RedHat 6.x: kdelibs vulnerability June 6th, 2000 - Conectiva: INN Vulnerability June 6th, 2000 - Caldera: kdelibs vulnerability June 5th, 2000 - Debian: mailx local exploit Firewall News: June 8th, 2000 - Dialup firewalling with FreeBSD Linux Host Security: June 8th, 2000 - Delegating superuser tasks with sudo June 8th, 2000 - Linux security classes June 7th, 2000 - How To Eliminate The Ten Most Critical Threats June 7th, 2000 - A Capabilities Based Operating System Linux Server Security: June 9th, 2000 - The Soothingly Seamless Setup of Apache, SSL June 8th, 2000 - Linux 101: Basic network security June 7th, 2000 - Security scare as outsiders get access passwords June 7th, 2000 - Bastille Linux: A Walkthrough June 7th, 2000 - Is Linux a net security risk? June 6th, 2000 - Hardening Linux Machines For Web Services Cryptography: June 8th, 2000 - OpenSSH 2.2.1 Released June 6th, 2000 - U.S. To Follow EU Crypto Lead June 6th, 2000 - Encryption: Where Next? June 5th, 2000 - Cryptography and Security Vendors/Products/Tools: June 9th, 2000 - WetStone Technologies Releases SMART Watch June 9th, 2000 - Linux Kernel Auditing Project June 8th, 2000 - OpenSSH v2.2.1 Released June 6th, 2000 - SSH Version 2.2 Released June 5th, 2000 - Secure open source Web server debuts at Linux expo Community News: June 9th, 2000Linux Kernel Auditing Project June 7th, 2000 - Infosec Outlook June 2000 June 7th, 2000 - The Arash Baratloo June 7th, 2000 - Security is Important, and so is OS June 6th, 2000 - Biometrics: More than a helping hand June 6th, 2000 - Security Firm to List Additional Threats June 5th, 2000 - A Data Sanctuary Is Born Advisories this Week: June 10th, 2000 Conectiva: Security problems with capabilities The 2.2.x series of the linux kernel implement capabilities. Capabilites can be used to restrict what the root user can do. Many privileged programs, such as SUID programs, drop root privileges before taking certain action, such as executing an user supplied program. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-480.html June 9th, 2000 Caldera: Netscape SSL vulnerability There are some flaws in the SSL transaction handling of Netscape Version 4.72 which could compromise encrypted SSL sessions. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-479.html June 9th, 2000 SuSE 6.x: qpop vulnerability An attacker could send a mail with a malicously formated mail header to a person, that reveives it's mail via qpop 2.53, to execute code with the privileges of user 'mail' at the qpop server. http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-478.html June 8th, 2000 Caldera: serious bug in setuid() There is a serious vulnerability in the Linux kernel that allows local users to obtain root privilege by exploiting certain setuid root applications. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-477.html June 8th, 2000 Linux Kernel 2.2.x: Local users can obtain root privileges A bug in the kernel capability model allows local users to obtain root privileges. All users should upgrade to kernel 2.2.16. Vendor kernel releases will be coming out shortly. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-476.html June 8th, 2000 Conectiva: gpm Remote buffer overflow The gdm program is on of the graphical login choices available for Conectiva Linux users. A serious vulnerability has been found in this program during the XDMCP protocol processing that could lead to remote root compromise. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-475.html June 8th, 2000 BRU: local root exploit vulnerability To prevent BRU from being exploited and offering root privileges, the binary file's privileges should be changed to 0550. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-484.html June 8th, 2000 FreeBSD: ssh port listens A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly configured the SSH daemon to listen on an additional network port, 722, in addition to the usual port 22. This change was made as part of a patch to allow the SSH server to listen on multiple ports, but the option was incorrectly enabled by default. http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-474.html June 8th, 2000 FreeBSD: apsfilter The apsfilter port, versions 5.4.1 and below, contain a vulnerability which allow local users to execute arbitrary commands as the user running lpd, user root in a default FreeBSD installation. The apsfilter software allows users to specify their own filter configurations, which are read in an insecure manner and may be used to elevate privileges. http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-473.html June 8th, 2000 Linux Kernel Security Bug Discovered A serious bug has been discovered in the Linux kernel that can be used by local users to gain root access. The problem, a vulnerability in the Linux kernel capability model, exists in kernel versions up to and including version 2.2.15. According to Alan Cox, a key member of the Linux developer community, "It will affect programs that drop setuid state and rely on losing saved setuid, even those that check that the setuid call succeeded." To ensure that this vulnerability cannot be exploited by programs running on Linux, Linux users are advised to update to kernel version 2.2.16 immediately. Information on "capabilities" are discussed in the Capabilities FAQ. We also recently ran a story on a capabilities-based operating system that is worth reading. http://www.linuxsecurity.com/articles/server_security_article-831.html ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt June 8th, 2000 Solar Designer's OpenWall Kernel Patch Solar's kernel security enhancement patch is now available for the recently-released 2.2.16 Linux kernel. "This patch is a collection of security-related features for the Linux kernel, all configurable via the new 'Security options' configuration section. In addition to the new features, some versions of the patch contain various security fixes. The number of such fixes changes from version to version, as some are becoming obsolete (such as because of the same problem getting fixed with a new kernel release), while other security issues are discovered." http://www.linuxsecurity.com/articles/projects_article-839.html June 8th, 2000 BSD Based Operating Systems: IPCS Vulnerability This advisory is for all 386BSD-derived OSes, including all versions of FreeBSD, NetBSD and OpenBSD. "An unprivileged local user can cause every process on the system to hang during exiting. In other words, after the system call is issued, no process on the system will be able to exit completely until another user issues the "unblock" call or the system is rebooted. This is a denial-of-service attack." http://www.linuxsecurity.com/articles/server_security_article-832.html June 7th, 2000 Conectiva: cdrecord buffer overflow The cdrecord program has a buffer overflow problem in the processing of the command-line argument "dev=". By exploring this vulnerability, a local user could make the program execute arbitrary commands. Conectiva Linux doesn't ship this binary with the SUID or SGID bits turned on. So, the vulnerability's extent is greatly reduced, not having the effect of granting higher user privileges. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-472.html June 7th, 2000 Caldera: buffer overflow in inn There is a buffer overflow in the handling of control articles in some configurations of the InterNet News package (INN). This lets malicious attackers tailor control message that might give them access to the local 'news' account. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-471.html June 7th, 2000 RedHat 6.x: kdelibs vulnerability In kdelibs 1.1.2, there are security issues with the way some applications perform when they are run suid root. The only application vulnerable is kwintv from Powertools. With our PAM configuration, the suid bit for kwintv is not necessary. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-470.html June 6th, 2000 Conectiva: INN Vulnerability An update to the INN package has been released for the Conectiva distribution that fixes a buffer overflow. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-469.html June 6th, 2000 Caldera: kdelibs vulnerability There is a very serious vulnerability in the way KDE starts applications that allows local users to take over any file in the system by exploiting setuid root KDE application. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-468.html June 5th, 2000 Debian: mailx local exploit The version of mailx distributed in Debian GNU/Linux 2.1 (a.k.a. slink), as well as in the frozen (potato) and unstable (woody) distributions is vulnerable to a local buffer overflow while sending messages. This could be exploited to give a shell running with group "mail". http://www.linuxsecurity.com/advisories/advisory_documents/debian_advisory-467.html Firewall News: June 8th, 2000 Dialup firewalling with FreeBSD This article documents how to setup a firewall using a PPP dialup with FreeBSD and IPFW, and specifically with firewalling over a dialup with a dynamically assigned IP address. It does not cover how to setup a standard PPP connection. http://www.linuxsecurity.com/articles/firewalls_article-840.html Linux Host Security: June 8th, 2000 Delegating superuser tasks with sudo "Instead of just handing out your root password to various users or beginning sys-admins or changing numerous programs as set uid root (to run as root), you can use sudo (which stands for "superuser do") to allow them to run certain commands as the super user (or as another user). Using sudo is also an idea for running scripts as another user since setting the suid bit for scripts does not work." http://www.linuxsecurity.com/articles/host_security_article-842.html June 8th, 2000 Linux security classes This article discusses a bit of history of security company ISS, its founder, and the new Linux security classes they are offering. "Internet Security Systems will offer classes in Linux security. Take a look at the founder's background in network security and at the company's origins." http://www.linuxsecurity.com/articles/forums_article-834.html June 7th, 2000 How To Eliminate The Ten Most Critical Internet Security Threats This SANS document takes their list of the top ten vulnerabilities one step further by actually providing steps and advice on eliminating the threats. "Here is the experts list of the Ten Most Often Exploited Internet Security Flaws along with the actions needed to rid your systems of these vulnerabilities." http://www.linuxsecurity.com/articles/security_sources_article-824.html June 7th, 2000 A Capabilities Based Operating System In this article, Kurt Seifried discusses various insecurities that are common in operating systems and the applications that accompany them. "There's been a lot of security advisories in the last few weeks, with some pretty major problems. There were even some nasty kernel level problems in several operating systems, allowing users to do all sorts of bad things (like hang any program on the system once it exits, or execute a local denial of service by slamming the ports). Even if you managed to squish every bug you could find, you would still not have a bug free system (because you are not going to find all the bugs). A good example of this is OpenBSD." http://www.linuxsecurity.com/articles/host_security_article-821.html Linux Server Security: June 9th, 2000 The Soothingly Seamless Setup of Apache, SSL, MySQL, and PHP This article discusses the use of mod_ssl, OpenSSL, RSARef, MySQL and PHP to develop a secure web server. "Our objective is to install a web server that will allow us to host sites, that would be secure for e-commerce solutions, and that could be driven via scripts to connect to a database server and extract its data." http://www.linuxsecurity.com/articles/server_security_article-850.html June 8th, 2000 Linux 101: Basic network security Here is a nice little article that can help you get started in security. "Linux security can be as simple or as advanced as you want. A Linux system can be locked down (relatively speaking) with a simple one-two punch of /etc/hosts.deny and /etc/hosts.allow, or you can go as far as running a strong ipchain-style firewall ruleset and PortSentry. http://www.linuxsecurity.com/articles/network_security_article-841.html June 7th, 2000 Security scare as outsiders get access to NetBSD software password Developers of the NetBSD open source operating system say a recent security breach did not compromise the software's source code. NetBSD developer and project spokesman Charles Hannum has confirmed that a key developer's password was "discovered" by outsiders. The password would have given hackers the opportunity to impersonate Paul Vixie, a leading developer with the right to make changes to the source code for the software, although not directly. http://www.linuxsecurity.com/articles/server_security_article-830.html June 7th, 2000 Bastille Linux: A Walkthrough This article presents a walkthrough of Bastille Linux, a popular hardening program for Red Hat and Mandrake, available for free from Jon Lasser, Pete Watkins, myself, and the rest of the Bastille Linux project. This walkthrough won't be the kind of "paranoid" setup that I enjoy most, as that could remove too much functionality for the average reader. Don't worry - I'll explain what we'll break in each setting, how we'll break it, and how you can fix it. But first, a shameless plug: I'll let you know about the cool features in the newest Bastille version, which we've just released. http://www.linuxsecurity.com/articles/projects_article-827.html June 7th, 2000 Is Linux a net security risk? A SANS Institute of America report has named Linux and Unix operated sites as more vulnerable to internet attacks than Windows and Mac powered sites. Compiled by US industry, government, and academics, the June 1 paper, titled How to Eliminate the Ten Most Critical Internet Security Threats: The Experts' Consensus, names versions of Unix and Linux systems in nine out of a "top ten" list of security vulnerabilities for operating systems that engineers "need to eliminate". Dean Stockwell, director of sales and support, Network Associates Asia-Pacific, dismissed SANS's report as "skewed". http://www.linuxsecurity.com/articles/network_security_article-826.html June 6th, 2000 Hardening Linux Machines For Web Services This is a introductory article on securing your Linux server. It starts with physical security then briefly discusses network security. "Your objective is to add as many rings or layers as possible, making the potential cracker take more time to get in (and increasing the chance of you noticing and stopping him before he roots you.)" http://www.linuxsecurity.com/articles/server_security_article-816.html Cryptography: June 8th, 2000 OpenSSH v2.2.1 Released A new version of OpenSSH has been released. Version 2.2.1 fixes a few usability bugs and a security feature not enabled by default. OpenSSH is a freely-available implementation of Secure Shell, a telnet/ftp/rlogin replacement that provides strong authentication and encryption. http://www.linuxsecurity.com/articles/cryptography_article-837.html June 6th, 2000 U.S. To Follow EU Crypto Lead When the EU meets on June 13th, crypto in the US could be a different story shortly thereafter. "If the European Union votes next week to relax encryption regulations, the United States says it will take similar steps. Commerce Department Undersecretary William Reinsch said Monday that any change, designed to make sure American high-tech companies aren't disadvantaged, will have to wait until the Europeans reach a decision." http://www.linuxsecurity.com/articles/cryptography_article-817.html June 6th, 2000 Encryption: Where Next? This SC Mag article discusses the history of crypto, the current controversy over exportation, info on the new crypto standard emerging, and "Crystal Ball" predictions. "The business arguments (for e-business) are important and irresistible. The challenge is for the business world to find the way to use the technology more safely than they can right now." Cryptography devices will be embedded in modems, cable modems, cellular phones and more, when applied to lower-value transactions, he adds. Higher-value dealings will warrant stronger protection, negating the possibility of software solutions and their inherent limitations. Simply put, he explains further, business transactions need new, stronger algorithms." http://www.linuxsecurity.com/articles/cryptography_article-815.html June 5th, 2000 Cryptography and Security Here is a good paper that gives readers a basic understanding of cryptography. "Cryptography addresses one specific security-related requirement, and does so superbly: protecting a message or a file from being read by an eavesdropper who has no other means of access to either the original text of what is protected, or the key with which it is encrypted. At one time, cryptography wasn't as effective as this: during World War II, only a few systems, other than one-time pads, remained unbroken, primarily the top-level systems used by the Allies. But today, personal computers have made it trivial to use very elaborate methods of encryption: whether or not major governments can break them, it is easy enough to be sure that hackers cannot." http://www.linuxsecurity.com/articles/cryptography_article-805.html Tools/Vendors/Products: June 9th, 2000 WetStone Technologies Releases SMART Watch Version 3.0 SMART Watch, a Preemptive Hacker Defense Tool and host based intrusion detection system detects when key "Watched" Files or Directories have been maliciously or accidentally altered. SMART Watch can automatically & immediately restore the damage to system resources upon detection, thus providing uninterrupted system operation. http://www.linuxsecurity.com/articles/vendors_products_article-847.html June 8th, 2000 SecureNet PRO v3.0.7 Released Version 3.0.7 of the SecureNet PRO Network Intrusion Detection and Monitoring suite is now available! SecureNet PRO is an enterprise-scalable security platform offering advanced custom protocol decoding, real-time monitoring and intrusion response features not found in other product offerings. http://www.linuxsecurity.com/articles/vendors_products_article-836.html June 6th, 2000 SSH Version 2.2 Released "SSH Secure Shell is the recognized de-facto standard for secure remote administration and secure file transfers over the Internet." http://www.linuxsecurity.com/articles/vendors_products_article-813.html June 5th, 2000 Secure open source Web server debuts at Linux expo Computer security firm C2Net announced the release of the new open source Stronghold Secure Web server at the European Linux Expo in London, Friday. The product from this US-based company is based on the open source Apache Web server and features 128-bit encryption. Open Source software enabling secure Web transactions contradicts the assumption that access to source code weakens security. http://www.linuxsecurity.com/articles/vendors_products_article-804.html Community News: June 9th, 2000 Linux Kernel Auditing Project Brian Paxton writes, "It's an attempt to audit the linux kernel for any security vulnerabilities and/or holes and/or possible vulnerabilities and/or possible holes, and of course without adding more bugs or drawbacks to the existing kernels. The suggested kernels to be audited are 2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series. The group and it's work shall be dealt and worked with via a mailing list." http://www.linuxsecurity.com/articles/projects_article-844.html June 7th, 2000 Infosec Outlook June 2000 This CERT article talks about current trends and concerns in computer security today. Included are topics on liability for attacks, Internet-focused insurance policies, comments on virus prevention, "Safe computing tips" and more. "Intrusions are going to happen; it's inevitable. Administrators, their managers, and senior executives all need to know what they're up against so that they are better equipped to deal with attacks and be aware of what intruders are doing. Because attack techniques and tools are constantly changing, we must maintain constant vigilance." http://www.linuxsecurity.com/articles/security_sources_article-825.html June 7th, 2000 The Arash Baratloo Here is an interview with the authors of Libsafe..."Arash Baratloo and Navjot Singh two of the primary developers for Libsafe, a free software library that protects against security exploits based on buffer overflow vulnerabilities. They work as members of the Network Software Research Department at Bell Labs, the R&D arm of Lucent Technologies." http://www.linuxsecurity.com/articles/projects_article-823.html June 7th, 2000 Security is Important, and so is Open Source This article questions open source security and the "security" reputation that it has earned. "Is this reputation deserved? And more to the point can it be maintained? However, some people wonder just how secure these and other "open" systems really are. How can a product whose source code is freely available to anyone who wants it, including people up to no good, be as secure as a product developed in a traditional and highly secret environment? How can secure development take place in an environment where no one is accountable, where the ruling ethos is that "many eyes" are more accountable than a proprietary enterprise? " http://www.linuxsecurity.com/articles/forums_article-822.html June 6th, 2000 Biometrics: More than a helping hand An increasing number of agencies and departments are turning to biometrics to achieve a higher level of security. Biometric devices measure a persons physical or behavioral characteristics, such as iris patterns, hand measurements, voice patterns and fingerprints, to ensure that the person accessing a device or location is who he or she claims to be. Biometric traits, unlike passwords and personal identification numbers (PINs), cannot be lost, stolen or easily duplicated. http://www.linuxsecurity.com/articles/general_article-811.html June 6th, 2000 Security Firm to List Additional Threats The threats listed in the document are just the "tip on the iceberg," Nowland said, warning network administrators not to feel safe simply because they address the 10 concerns outlined by SANS. NETSEC intends next week to release its own supplemented list of Internet security threats identified by its in-house team of hackers, Nowland said. http://www.linuxsecurity.com/articles/network_security_article-810.html June 5th, 2000 A Data Sanctuary Is Born Here's a "safe haven" to store info safe from gov't prying eyes... "A windswept gun tower anchored six miles off the stormy coast of England is about to become the first Internet data haven. ... It's for "companies that want to have email servers in a location in which they can consider their email private and not open to scrutiny by anyone capable of filing a lawsuit," says Sean Hastings, the 32-year-old chief executive of HavenCo." http://www.linuxsecurity.com/articles/general_article-808.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------