| Date: | 6 Jul 2004 20:04:33 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #191 |
SecurityFocus Linux Newsletter #191
------------------------------------
This Issue is Sponsored By: SecurityFocus
Want to keep up on the latest security vulnerabilities? Don't have time
to
visit a myriad of mailing lists and websites to read the news? Just add
the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all
the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!
http://www.securityfocus.com/rss/index.shtml
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Close the E-Mail Wiretap Loophole
2. Multi-Layer Intrusion Detection Systems
3. The Allure and Curse of Complexity
II. LINUX VULNERABILITY SUMMARY
1. Apache ap_escape_html Memory Allocation Denial Of Service Vu...
2. Sun Java Runtime Environment Font Object Assertion Failure D...
3. Dr. Web Unspecified Buffer Overflow Vulnerability
4. Linux Kernel Sbus PROM Driver Multiple Integer Overflow Vuln...
5. Pavuk Remote Stack-Based Buffer Overrun Vulnerability
6. Linux Kernel IPTables Sign Error Denial Of Service Vulnerabi...
7. RSBAC Jail SUID And SGID File Creation Vulnerability
8. IBM Lotus Domino IMAP Quota Changing Vulnerability
9. FreeBSD Linux Binary Compatibility Memory Access Vulnerabili...
10. Esearch eupdatedb Symbolic Link Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Weird! (Thread)
2. Last login missing (Thread)
3. Error installing Clamav? (Thread)
4. just running tcpdump makes promisc mode? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Cyber-Ark Inter-Business Vault
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. Ettercap v0.7.0 pre2
2. SnortNotify 1.02
3. Devil-Linux v1.2 Beta 1
4. GNU Anubis v3.9.94
5. DNSSEC Walker v3.4
6. Linux Intrusion Detection System (LIDS) v2.6.6
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Close the E-Mail Wiretap Loophole
By Mark Rasch
Some pretty sleazy operators are slipping through a hole in a federal
wiretap law that arguably leaves your e-mail unprotected from snooping.
http://www.securityfocus.com/columnists/253
2. Multi-Layer Intrusion Detection Systems
By Nathan Einwechter
This article discusses framework for a mIDS, a system that brings
together
many layers of technology into a single monitoring and analysis engine,
from integrity monitoring software like Tripwire to system logs, IDS
logs,
and firewall logs.
http://www.securityfocus.com/infocus/1788
3. The Allure and Curse of Complexity
By Jason Miller
The curse of complexity is the bane of every security administrator, so
UNIX users take your pick: would you like BSD or Linux?
http://www.securityfocus.com/columnists/252
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Apache ap_escape_html Memory Allocation Denial Of Service Vu...
BugTraq ID: 10619
Remote: Yes
Date Published: Jun 28 2004
Relevant URL: http://www.securityfocus.com/bid/10619
Summary:
Apache Web Server is reportedly affected by a memory allocation based
denial of service vulnerability. This issue is due to a failure of the
server to handle excessivley long HTTP header strings.
This issue would allow an attacker to cause the affected application to
crash, denying service to legitimate users.
Although Apache version 2.0.49 reportedly affected by this issue, it is
likely that earlier versions are affected as well.
2. Sun Java Runtime Environment Font Object Assertion Failure D...
BugTraq ID: 10623
Remote: Yes
Date Published: Jun 28 2004
Relevant URL: http://www.securityfocus.com/bid/10623
Summary:
The Sun Java Runtime Environment Font object is reportedly vulnerable
to an assertion failure denial of service vulnerability. This issue is
due to a failure of the process to handle exceptional conditions when
processing font objects.
This issue is reported to affect Java Runtime Environment versions
1.4.1 through 1.4.2; it is likely however that other versions are also
affected. This issue will crash Internet browsers running an affected Java
plug-in as well.
This issue may be exploited by an attacker to cause a vulnerable
application, as well as all processes spawned from the application, to crash,
denying service to legitimate users. Due to the scope of the crash,
data loss may occur.
3. Dr. Web Unspecified Buffer Overflow Vulnerability
BugTraq ID: 10628
Remote: Yes
Date Published: Jun 29 2004
Relevant URL: http://www.securityfocus.com/bid/10628
Summary:
It has been reported that an unspecified buffer overflow vulnerability
exists in Dr. Web.
Users of Dr. Web have reported seeing this message logged to syslog by
ProPolice on OpenBSD computers:
drwebd: stack overflow in function int scanMail(int, time_t *, int,
int, const char *)
An unspecified buffer overflow in the scanMail() function may be
exploitable. If it is, attempts to exploit it may result in the affected
application crashing. This may also be leveraged to execute arbitrary code
in the context of the Dr. Web process.
As more information is known, this BID will be updated.
4. Linux Kernel Sbus PROM Driver Multiple Integer Overflow Vuln...
BugTraq ID: 10632
Remote: No
Date Published: Jun 29 2004
Relevant URL: http://www.securityfocus.com/bid/10632
Summary:
It is reported that the OpenPROM Linux kernel driver contains multiple
integer overflow vulnerabilities.
Two vulnerabilities are reported to exist in the OpenPROM driver, both
involve overflowing an integer value. These values are used to allocate
kernel memory, and then subsequently to copy data into the kernel. This
could lead to overwriting large amounts of kernel memory.
These vulnerabilities could lead to a system crash, or possible code
execution in the context of the kernel.
Some versions of the Linux kernel are vulnerable to both overflows,
other versions are only susceptible to one. Kernel version 2.6.6 does not
appear to be vulnerable.
5. Pavuk Remote Stack-Based Buffer Overrun Vulnerability
BugTraq ID: 10633
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10633
Summary:
Pavuk is reported prone to a remote buffer overrun vulnerability. It is
reported that the issue exists due to a lack of boundary checks
performed on third party data, that is received from remote HTTP servers,
before the data is copied into a finite stack-based buffer.
Ultimately a remote malicious site may exploit this condition to
execute arbitrary code in the context of the user who is running the
vulnerable Pavuk software.
6. Linux Kernel IPTables Sign Error Denial Of Service Vulnerabi...
BugTraq ID: 10634
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10634
Summary:
It has been reported that the Linux kernel is affected by a denial of
service vulnerability in the iptables implementation. This issue is due
to a failure of iptables to handle certain TCP packet header values.
An attacker can exploit this issue to cause the iptables implementation
to consume all CPU resources due to an infinite loop, denying service
to legitimate users.
7. RSBAC Jail SUID And SGID File Creation Vulnerability
BugTraq ID: 10640
Remote: No
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10640
Summary:
The process jail feature of RSBAC reportedly improperly allows files to
be created with SUID and SGID attributes.
These files can then be used to escalate the privileges inside the
jail. This may allow for further attacks and possible system compromises.
Versions 1.2.2 and 1.2.3 are reported to be vulnerable to this issue. A
patch has been released by the vendor.
8. IBM Lotus Domino IMAP Quota Changing Vulnerability
BugTraq ID: 10642
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10642
Summary:
IBM Lotus Domino server is reported to improperly allow users to alter
their own mail storage quota values.
A user's mailbox is assigned a quota to limit the amount of data that
can be consumed by email on the server. This quota is assigned by the
administrator of the application.
An attacker could possibly use this vulnerability to raise their
mailbox's quota to a very large amount, and then proceed to fill the mail
servers storage device. This will result in a denial of service condition,
where new mail will not be able to be stored on the full disk.
Domino version 6.5.0 and 6.5.1 are reported vulnerable to this issue.
9. FreeBSD Linux Binary Compatibility Memory Access Vulnerabili...
BugTraq ID: 10643
Remote: No
Date Published: Jul 01 2004
Relevant URL: http://www.securityfocus.com/bid/10643
Summary:
It has been reported that FreeBSD is affected by a memory access
vulnerability when implementing linux binary compatibility. This issue is
due to a programming error that causes certain memory to be accessed
without proper validation.
This issue would allow an attacker to disclose and overwrite kernel
memory, resulting in information disclosure, privilege escalation and
potential denial of service.
10. Esearch eupdatedb Symbolic Link Vulnerability
BugTraq ID: 10644
Remote: No
Date Published: Jul 01 2004
Relevant URL: http://www.securityfocus.com/bid/10644
Summary:
It has been reported that eupdatedb, an esearch utility is affected by
a symbolic link vulnerability. This issue is due to a failure of the
application to properly handle temporary file creation.
An attacker can leverage this vulnerability to create an arbitrary file
with the permissions of an unsuspecting user that has activated the
vulnerable utility; facilitating a number of possible attacks.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Weird! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/368067
2. Last login missing (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/368004
3. Error installing Clamav? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/368000
4. just running tcpdump makes promisc mode? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/367997
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:
Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Ettercap v0.7.0 pre2
By: ALoR <alor@users.sourceforge.net>
Relevant URL: http://ettercap.sourceforge.net/
Platforms: FreeBSD, Linux, MacOS, NetBSD, Windows 2000, Windows NT,
Windows XP
Summary:
Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It
supports active and passive dissection of many protocols (even ciphered
ones, like SSH and HTTPS). Data injection in an established connection
and filtering on the fly is also possible, keeping the connection
synchronized. Many sniffing modes were implemented to give you a powerful
and complete sniffing suite. Plugins are supported. It has the ability to
check whether you are in a switched LAN or not, and to use OS
fingerprints (active or passive) to let you know the geometry of the LAN.
2. SnortNotify 1.02
By: Adam Ely
Relevant URL: http://www.780inc.com/snortnotify/
Platforms: Linux
Summary:
Running from cron at a specified interval SnortNotify will search a
snort database for new alerts. If new alerts match a pre configured
priority level, an email will be sent to the contact. The email will include
Sensor name, the signaturename, and the timestamp.
3. Devil-Linux v1.2 Beta 1
By: Heiko Zuerker <heiko@devil-linux.org>
Relevant URL: http://www.devil-linux.org/download.htm
Platforms: Linux
Summary:
Devil-Linux is a special Linux distribution which is used for
firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and
secure Linux system. Configuration is saved on a floppy disk, and it
has several optional packages.
4. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary:
GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail
User Agent) and the MTA (Mail Transport Agent), and can perform various
sorts of processing and conversion on-the-fly in accordance with the
sender's specified rules, based on a highly configurable regular
expressions system. It operates as a proxy server, and can edit outgoing mail
headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels
using the TLS/SSL encryption even if your mail user agent doesn't
support it, or tunnel a connection through a SOCKS proxy server.
5. DNSSEC Walker v3.4
By: Simon Josefsson
Relevant URL: http://josefsson.org/walker/
Platforms: Linux, UNIX
Summary:
DNSSEC Walker is a tool to recover DNS zonefiles using the DNS
protocol. The server does not have to support zonetransfer, but the zone must
contain DNSSEC "NXT" records.
6. Linux Intrusion Detection System (LIDS) v2.6.6
By: Xie Hua Gang, xhg@gem.ncic.ac.cn
Relevant URL: http://www.lids.org/download.html
Platforms: Linux
Summary:
The Linux Intrusion Detection System is a patch which enhances the
kernel's security. When it is in effect, chosen files access, all
system/network administration operations, any capability use, raw device, mem,
and I/O access can be made impossible even for root. You can define
which program can access which file. It uses and extends the system
capabilities bounding set to control the whole system and adds some network
and filesystem security features to the kernel to enhance the security.
You can finely tune the security protections online, hide sensitive
processes, receive security alerts through the network, and more.
VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SecurityFocus
Want to keep up on the latest security vulnerabilities? Don't have time
to
visit a myriad of mailing lists and websites to read the news? Just add
the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all
the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!
http://www.securityfocus.com/rss/index.shtml
------------------------------------------------------------------------