Date: | 18 Jan 2005 23:08:01 -0000 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #219 |
SecurityFocus Linux Newsletter #219
------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
1. A New Tool In The Spam War
2. The Perils of Deep Packet Inspection
3. Apache 2 with SSL/TLS: Step-by-Step, Part 1
II. LINUX VULNERABILITY SUMMARY
1. Debian Liantian Insecure Temporary File Vulnerability
2. Dillo Interface Message Format String Vulnerability
3. Linux IPRoute2 Netbug Script Insecure Temporary File Creatio...
4. MPG123 Layer 2 Frame Header Heap Overflow Vulnerability
5. Squid Proxy Malformed NTLM Type 3 Message Remote Denial of S...
6. HylaFAX Remote Access Control Bypass Vulnerability
7. BMV Insecure Temporary File Vulnerability
8. Linux Kernel Multiple Unspecified Vulnerabilities
9. GNU Mailman Multiple Unspecified Remote Vulnerabilities
10. Linux Kernel Symmetrical Multiprocessing Page Fault Local
Pr...
11. Vim TCLTags and VimSpell.sh Scripts Insecure Temporary File
...
12. University of Minnesota Gopher Multiple Remote
Vulnerabiliti...
13. Linux Kernel User Triggerable BUG() Unspecified Local
Denial...
14. Midnight Commander Multiple Unspecified Vulnerabilities
15. MPM Guestbook Header Input Validation Vulnerability
16. Exim IP Address Command Line Argument Local Buffer Overflow
...
III. LINUX FOCUS LIST SUMMARY
1. NMAP : Different interpretation of "filtered" ports ...
(Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. CoreGuard Core Security System
2. EnCase Forensic Edition
3. KeyGhost SX
4. SafeKit
5. Astaro Linux Firewall
6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
1. Firestarter 1.0.0
2. Network Equipment Performance Monitor 2.2
3. BitDefender for qmail v1.5.5-2
4. Bilbo 0.11
5. Ipanto Secure 2.0
6. ROPE for IpTables 20041119
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. A New Tool In The Spam War
Arbitration is part of the next wave of security measures, and can be
effective against spammers who illegally harvest email addresses from a
honeypot on your website.
http://www.securityfocus.com/columnists/291
2. The Perils of Deep Packet Inspection
By Dr. Thomas Porter
This paper looks at the evolution of firewall technology towards Deep
Packet Inspection, and then discusses some of the security issues with
this
evolving technology.
http://www.securityfocus.com/infocus/1817
3. Apache 2 with SSL/TLS: Step-by-Step, Part 1
By Artrur Maj
This article begins a series of three articles dedicated to configuring
Apache 2.0 with SSL/TLS support, in order to ensure maximum security
and
optimal performance of secure web communication. This part introduces
key
aspects of SSL/TLS and then shows how to compile and configure Apache
2.0
with support for these protocols.
http://www.securityfocus.com/infocus/1818
II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Debian Liantian Insecure Temporary File Vulnerability
BugTraq ID: 12202
Remote: No
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12202
Summary:
The Debian lintian program creates temporary files in an insecure
manner. A local attacker could exploit this condition to launch symbolic
link attacks to cause arbitrary files to be deleted in the context of the
user running the program.
2. Dillo Interface Message Format String Vulnerability
BugTraq ID: 12203
Remote: Yes
Date Published: Jan 09 2005
Relevant URL: http://www.securityfocus.com/bid/12203
Summary:
Dillo Web browser is prone to a format string vulnerability. This
issue is exposed when the browser handles messages to the interface.
The vulnerability may be triggered when a user visits a malicious Web
page. If successfully exploited, this will result in execution of
arbitrary code in the context of the client user.
3. Linux IPRoute2 Netbug Script Insecure Temporary File Creatio...
BugTraq ID: 12208
Remote: No
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12208
Summary:
iproute2 is distributed with a script named 'netbug'. The 'netbug'
script is reported prone to an unspecified insecure temporary file creation
vulnerability.
It is conjectured that the 'netbug' script creates a temporary file
using a predictable filename in a world read-writeable location. This
issue may be leveraged to corrupt arbitrary files with the privileges of a
user that invokes the vulnerable script.
4. MPG123 Layer 2 Frame Header Heap Overflow Vulnerability
BugTraq ID: 12218
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12218
Summary:
mpg123 is prone to a heap-based buffer overflow vulnerability related
to handling of layer 2 streams. This issue is exposed when the player
loads MP2/MP3 files with malformed header data.
This vulnerability could be exploited to execute arbitrary code in the
context of the user running the player.
5. Squid Proxy Malformed NTLM Type 3 Message Remote Denial of S...
BugTraq ID: 12220
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12220
Summary:
Squid is reported to be susceptible to a denial of service
vulnerability in its NTLM authentication module. This vulnerability presents
itself when an attacker sends a malformed NTLM type 3 message to Squid.
Failure of NTLM authentication would result in the Squid application
denying access to legitimate users of the proxy.
This vulnerability affects Squid 2.5.
6. HylaFAX Remote Access Control Bypass Vulnerability
BugTraq ID: 12227
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12227
Summary:
The HylaFAX daemon is reported prone to a vulnerability that could
allow unauthorized access to the HylaFAX service. It is reported that the
issue presents itself due to the methods used to match a given username
and hostname to an entry in the 'hosts.hfaxd' configuration file.
A remote attacker may exploit this vulnerability to gain unauthorized
access to the affected service.
7. BMV Insecure Temporary File Vulnerability
BugTraq ID: 12229
Remote: No
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12229
Summary:
BMV creates temporary files in an insecure manner. A local attacker
could take advantage of this issue to perform symbolic link attacks and
corrupt files in the context of the user running the application.
It is not known if this vulnerability could be exploited to gain
elevated privileges, though at the very least an attacker could cause
critical files to be overwritten, causing loss of data or a denial of service
condition.
8. Linux Kernel Multiple Unspecified Vulnerabilities
BugTraq ID: 12239
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12239
Summary:
It is reported that the Linux kernel version 2.6.9 is prone to multiple
unspecified vulnerabilities. The issues are reported to exist in coda,
xfs, network bridging, rose network protocol, and sdla wan drivers.
Details regarding the reported vulnerabilities are not currently
available. It is conjectured that the issues are both local and remote in
nature and result in a kernel panic when triggered. This is not confirmed.
This BID will be updated as soon as further details in regards to these
vulnerabilities become available.
9. GNU Mailman Multiple Unspecified Remote Vulnerabilities
BugTraq ID: 12243
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12243
Summary:
GNU Mailman is reported prone to multiple unspecified remote
vulnerabilities. The following individual issues are reported:
It is reported that GNU Mailman package for Ubuntu and Debian Linux is
affected by an information disclosure vulnerability.
Information that is harvested by exploiting this vulnerability may be
used to aid in further attacks that are launched against a target user,
or the computer that is hosting the vulnerable software.
A cross-site scripting vulnerability has been discovered in GNU
Mailman. The issue occurs due to insufficient sanitization of user-supplied
data.
It may be possible to exploit this issue in order to steal an
unsuspecting user's cookie-based authentication credentials, as well as other
sensitive information. Other attacks are also possible.
Finally, Mailman is reported prone to a weak auto-generated password
vulnerability. It is reported that, when a user subscribes to a mailing
list and a password is not specified, Mailman will auto-generate one.
The password generation algorithm will generate a weak low entropy
password. This password may potentially be brute forced by an attacker.
10. Linux Kernel Symmetrical Multiprocessing Page Fault Local Pr...
BugTraq ID: 12244
Remote: No
Date Published: Jan 12 2005
Relevant URL: http://www.securityfocus.com/bid/12244
Summary:
A local privilege escalation vulnerability affects the page fault
handler of the Linux Kernel on symmetric multiprocessor (SMP) computers.
This issue is due to a race condition error that may allow an attacker to
gain superuser privileges.
A malicious local attacker may exploit this issue to gain superuser
privileges on an the affected computer.
11. Vim TCLTags and VimSpell.sh Scripts Insecure Temporary File ...
BugTraq ID: 12253
Remote: No
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12253
Summary:
Multiple Vim scripts are reported prone to an insecure temporary file
creation vulnerability. It is reported that the Vim 'tcltags' and
'vimspell.sh' scripts create temporary files in an insecure manner.
An attacker that has local interactive access to a system may exploit
this issue to corrupt arbitrary files with the privileges of the user
that is invoking the vulnerable application.
12. University of Minnesota Gopher Multiple Remote Vulnerabiliti...
BugTraq ID: 12254
Remote: Yes
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12254
Summary:
Multiple remote vulnerabilities affect Gopher. These issues are due to
a failure of the application to properly sanitize user-supplied data
and a failure to verify input sizes.
The first issue is an integer overflow, the second issue is a format
string vulnerability.
An attacker may leverage these issues to crash the affected daemon.
These issues may also be leveraged to execute arbitrary code with the
privileges of the gopherd process. This may facilitate unauthorized
access.
13. Linux Kernel User Triggerable BUG() Unspecified Local Denial...
BugTraq ID: 12261
Remote: No
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12261
Summary:
Linux Kernel is reported prone to a local denial of service
vulnerability.
It is reported that this issue presents itself when a large Virtual
Memory Area (VMA) is created by a user that overlaps with arg pages during
the exec() system call.
Successful exploitation will lead to a denial of service condition in a
vulnerable computer.
No further details are available at this time. This issue will be
updated as more information becomes available.
14. Midnight Commander Multiple Unspecified Vulnerabilities
BugTraq ID: 12263
Remote: Unknown
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12263
Summary:
It has been reported that Midnight Commander running on Debian
operating systems is prone to multiple, unspecified vulnerabilities. These
issues are due to various design and boundary condition errors.
These issues could be leveraged by an attacker to execute arbitrary
code on an affected system, which may facilitate unauthorized access. It
is also possible for an attacker to carry out symbolic link attacks
against an affected system, potentially facilitating a system wide denial
of service.
15. MPM Guestbook Header Input Validation Vulnerability
BugTraq ID: 12266
Remote: Yes
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12266
Summary:
MPM Guestbook is reported prone to an input validation vulnerability
that may lead to remote command execution or arbitrary file content
disclosure. The issue is due to a lack of sufficient sanitization performed
on user-supplied 'header' URI parameter data.
An attacker may leverage this issue to execute arbitrary PHP code in
the context of the web server process or disclose the contents of web
server readable files.
It should be noted that although this vulnerability is reported to
affect MPM Guestbook version 1.05, other versions might also be affected.
16. Exim IP Address Command Line Argument Local Buffer Overflow ...
BugTraq ID: 12268
Remote: No
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12268
Summary:
A local buffer overflow vulnerability triggered by an excessively long
command line argument affects Exim. This issue is due to a failure of
the application to validate the length of user-supplied data prior to
attempting to store it in process buffers.
An attacker may leverage this issue to execute arbitrary code with the
privileges of the affected mailer application. As the application is a
setuid application, it is possible that further privilege escalation
may occur.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. NMAP : Different interpretation of "filtered" ports ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/387004
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary:
CoreGuard System profile
The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.
CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits
2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS,
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:
EnCase Forensic Edition Version 4 delivers the most advanced features
for computer forensics and investigations. With an intuitive GUI and
superior performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields
completely non-invasive computer forensic investigations while allowing
examiners to easily manage large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and unallocated
space.
The integrated functionality of EnCase allows the examiner to perform
all functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.
3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity within
an accounting or specialist system. It is completely undetectable by
software scanners and provides you with one of the most powerful stealth
surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded
data in it?s own internal memory (not on the hard drive), it is
impossible for a network intruder to gain access to any sensitive data stored
within the device.
4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any
application available 24 hours per day. With no extra hardware: just use your
existing servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to
do is add more standard servers into the cluster. With the load
balancing features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to
serve your users.
5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary:
Astaro Linux Firewall: All-in-one firewall, virus protection, content
filtering and spam protection internet security software package for
Linux.
Free download for home users.
6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris,
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary:
Low cost, easy to use Two Factor Authentication One Time Password token
using the Cellular. Does not use SMS or communication, manages multiple
OTP accounts - new technology. For any business that want a safer
access to its Internet Services. More information at our site.
We also provide eAuthentication service for businesses that will not
buy an Authentication product but would prefer to pay a monthly charge
for authentication services from our our CAT Server.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Firestarter 1.0.0
By: Tomas Junnonen
Relevant URL: http://www.fs-security.com/
Platforms: Linux
Summary:
Firestarter is graphical firewall tool for Linux. The program aims to
combine
ease of use with powerful features, serving both desktop users and
administrators.
2. Network Equipment Performance Monitor 2.2
By: Nova Software, Inc.
Relevant URL: http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX,
Windows 2000, Windows NT, Windows XP
Summary:
NEPM is a very general, highly configurable, two part software system
that monitors any type of logged data from IP networked equipment and
reports it via E-mail and web pages. Current conditions and history from
systems based on Windows NT/2000 and UNIX can be tracked and reported.
Most major server, switch and router systems can be monitored, without
running agents on the target systems.
3. BitDefender for qmail v1.5.5-2
By: SOFTWIN <mmitu@bitdefender.com>
Relevant URL: http://www.bitdefender.com/bd/site/products.php?p_id=10
Platforms: Linux
Summary:
BitDefender for qmail is a powerful antivirus software for Linux mail
servers, which provides proactive protection of message traffic at the
email server level, eliminating the risk to the entire network that
could be caused by a negligent user. All messages, both sent and received,
are scanned in real time, avoiding the possible infections and
preventing anyone from sending an infected message. BitDefender claims 100%
detection rate for all viruses in the wild (ITW) through its powerful
scanning engines certified by the most prestigious testing labs (ICSA in
February 2003, Virus Bulletin 100% in June 2003 and CheckMark in August
2003).
4. Bilbo 0.11
By: Bart Somers
Relevant URL: http://doornenburg.homelinux.net/scripts/bilbo/
Platforms: FreeBSD, Linux
Summary:
Bilbo is an automated, multithreaded nmap-scanner and reporter, capable
of header fetching and matching the results against a database from
previous scans.
5. Ipanto Secure 2.0
By: Ipanto
Relevant URL: http://www.ipanto.com/secure
Platforms: HP-UX, Linux, Solaris, UNIX
Summary:
Ipanto Secure allows ISC based DHCP servers (UNIX, Linux) to send
signed dynamic DNS updates to a Microsoft DNS, using the GSS-TSIG protocol.
6. ROPE for IpTables 20041119
By: Chris Lowth
Relevant URL: http://www.lowth.com/rope
Platforms: Linux
Summary:
ROPE allows IpTables to block P2P and other complex protocols
accurately.
It is a highly flexible iptables module that allows complex protocols
(such as are used by P2P software) to be identified. It is an in-kernel
scripting language designed for IP packet matching. A growing number of
sample configurations (scripts) are provided, including: blocking
Gnutella and Bittorrent clients, blocking large web downloads - etc. Plenty
more to come.
ROPE is part of the P2PWall
VII. SPONSOR INFORMATION
-----------------------
Need to know what's happening on YOUR network? Symantec DeepSight
Analyzer
is a free service that gives you the ability to track and manage
attacks.
Analyzer automatically correlates attacks from various Firewall and
network
based Intrusion Detection Systems, giving you a comprehensive view of
your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------