Linux Security Week July 10 - In this issue: Securing Sendmail, Understanding the Diffie-Hellman Key Exchange, PGP patch, BitchX dos vulnerability, man vulnerability (makewhatis /tmp bug), multiple freebsd patches, OpenSSH uselogin vulnerability, weekly security news, and much more.
5bf9f698ffac215b3b0414186453110003cc34c633afda3c9caa8af9944d10af
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 10, 2000 Volume 1, Number 11 |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines and system
advisories.
This week, several vendors released patches for a denial of service
vulnerability in BitchX. It is caused by improper handling of incoming
invitation messages. Any user on IRC can send the client an invitation
message that causes BitchX to segfault. Patches were also released for
man. The problem exists because the makewhatis portion of the man package
uses files in /tmp in an insecure fashion. It was possible for local users
to exploit this vulnerability to modify files that they normally could
not.
If you're running FreeBSD, it is now a good time update your system.
Patches for majordomo, openSSH, libedit, popper, wu-ftpd, canna, XFree86.
and BitchX were released.
https://www.linuxsecurity.com/advisories/freebsd.html
In the news, the article "Securing Sendmail" provides helpful information
for users wishing to tighten sendmail's security. Sections include:
general security, tuning sendmail for security, file and directory modes,
restrictive file access, and other tips for the truly paranoid. This is
an overall well written paper that can provide much benefit.
Our feature this week, "Security is Not a Luxury Anymore for Small
Business," by Andrew Kaufman of LinuxSolve.net discusses the short-sighted
thinking that is prevalent in many companies that do not put in place
effective security measures. He points out that many new companies often
regard security as a "Luxury," or 'something down the road, when time
permits.' Thinking in this manner is a harmful risk to any type of
organization.
https://www.linuxsecurity.com/feature_stories/feature_story-58.html
Our sponsor this week is WebTrends. Their Security Analyzer has the most
vulnerability tests available for Red Hat & VA Linux. It uses advanced
agent-based technology, enabling you to scan your Linux servers from your
Windows NT/2000 console and protect them against potential threats. Now
with over 1,000 tests available.
https://www.webtrends.com/redirect/linuxsecurity1.htm
HTML Version Available:
https://www.linuxsecurity.com/articles/forums_article-1081.html
---------------------
Advisories This Week:
---------------------
* Mandrake: BitchX update
July 8th, 2000
A denial of service vulnerability exists in BitchX. Improper handling of
incoming invitation messages can crash the client. Any user on IRC can
send the client an invitation message that causes BitchX to segfault.
https://www.linuxsecurity.com/advisories/mandrake_advisory-542.html
* Caldera: makewhatis vulnerability
July 7th, 2000
There is a problem in the way the makewhatis script, which is run
daily to rebuild the database used by the whatis(1) command, handles
temporary files. This can be exploited by local users to corrupt
arbitrary files on the system.
https://www.linuxsecurity.com/advisories/caldera_advisory-539.html
* Caldera: Denial of Service against irc-BX
July 7th, 2000
The IRC client irc-BX (otherwise known as B*tchX) will accept bogus
data from other IRC users that causes it to crash, and possibly even
to execute malicious code. An exploit has been published that will
result in a crash of the IRC client.
https://www.linuxsecurity.com/advisories/caldera_advisory-540.html
* Mandrake: man vulnerability
July 7th, 2000
Local users may gain a variety of privileges depending on the complexity
of the exploit. The mode of any file on the system can be changed to
0700. Any file on the system may be created or overwritten as root.
Local users may also be able to read any system file by forcing a copy of
it into the whatis database.
https://www.linuxsecurity.com/advisories/mandrake_advisory-537.html
* Mandrake: inn vulnerability
July 7th, 2000
A vulnerability exists when verifycancels is enabled in
/etc/news/inn.conf. This vulnerability could be used to gain root
access on any system with inn installed
https://www.linuxsecurity.com/advisories/mandrake_advisory-538.html
* Conectiva: BitchX vulnerability
July 7th, 2000
The irc client BitchX can be taken down remotely by inviting the user
to a channel with format strings in its name. By receiving the
invitation, BitchX will crash immediately.
https://www.linuxsecurity.com/advisories/other_advisory-541.html
* FreeBSD: Majordomo vulnerability
July 6th, 2000
Unprivileged local users can run commands as the 'majordomo' user,
including accessing and modifying mailing-list subscription data.
https://www.linuxsecurity.com/advisories/freebsd_advisory-532.html
* FreeBSD: OpenSSH root vulnerability
July 6th, 2000
The sshd server is typically invoked as root so it can manage general
user logins. OpenSSH has a configuration option, not enabled by
default ("UseLogin") which specifies that user logins should be done
via the /usr/bin/login command instead of handled internally.
https://www.linuxsecurity.com/advisories/freebsd_advisory-533.html
* FreeBSD: libedit vulnerability
July 6th, 2000
An attacker can cause a user to execute arbitrary commands within a
program which is run from a directory to which the attacker has write
access, potentially leading to system compromise if run as a
privileged user (such as root).
https://www.linuxsecurity.com/advisories/freebsd_advisory-534.html
* FreeBSD: popper port contains remote vulnerability
July 6th, 2000
The popper port, version 2.53 and earlier, incorrectly parses string
formatting operators included in part of the email message header. A
remote attacker can send a malicious email message to a local user
which can cause arbitrary code to be executed on the server when a
POP client retrieves the message using the UIDL command.
https://www.linuxsecurity.com/advisories/freebsd_advisory-535.html
* FreeBSD: wu-ftpd port contains remote root compromise
July 6th, 2000
The wu-ftpd port, versions 2.6.0 and below, contains a vulnerability
which allows remote anonymous FTP users to execute arbitrary code as
root on the local machine, by inserting string-formatting operators
into command input, which are incorrectly parsed by the FTP server.
https://www.linuxsecurity.com/advisories/freebsd_advisory-528.html
* FreeBSD: Canna port remote vulnerability
July 6th, 2000
The Canna server contains an overflowable buffer which may be
exploited by a remote user to execute arbitrary code on the local
system as user 'bin'.
https://www.linuxsecurity.com/advisories/freebsd_advisory-529.html
* FreeBSD: XFree86-4.0 port contains local root overflow
July 6th, 2000
XFree86 4.0 contains a local root vulnerability in the XFree86 server
binary, due to incorrect bounds checking of command-line arguments.
https://www.linuxsecurity.com/advisories/freebsd_advisory-530.html
* FreeBSD: bitchx port contains client-side vulnerability
July 6th, 2000
The bitchx client incorrectly parses string-formatting operators
included as part of channel invitation messages sent by remote IRC
users. This can cause the local client to crash, and may possibly
present the ability to execute arbitrary code as the local user.
https://www.linuxsecurity.com/advisories/freebsd_advisory-531.html
* RedHat: BitchX denial of service vulnerability
July 6th, 2000
A denial of service vulnerability exists in BitchX. Improper
handling of incoming invitation messages can crash the client. Any
user on IRC can send the client an invitation message that causes
BitchX to segfault.
https://www.linuxsecurity.com/advisories/redhat_advisory-536.html
* RedHat: man 'makewhatis' vulnerability
July 4th, 2000
The makewhatis portion of the man package used files in /tmp in an
insecure fashion. It was possible for local users to exploit this
vulnerability to modify files that they normally could not and gain
elevated privilege.
https://www.linuxsecurity.com/advisories/redhat_advisory-525.html
* RedHat PowerTools: Multiple local imwheel vulnerabilities
July 4th, 2000
Multiple local vulnerabilities exist in imwheel. Read access
violations where there is no checking of the file itself, it follows
a symlink blindly. Perl wrapper might allow other users on the
machine to kill the imwheel process.
https://www.linuxsecurity.com/advisories/redhat_advisory-524.html
-----------------------
Top Articles This Week:
-----------------------
Host Security News:
-------------------
* Securing Sendmail
July 6th, 2000
This two-part series on securing sendmail, based on the tutorial
given by Eric Allman and Greg Shapiro at the recent USENIX technical
conference in San Diego, begins by detailing the measures you can
take to secure any sendmail installation.
https://www.linuxsecurity.com/articles/network_security_article-1054.html
* Comment: Securing Web connections
July 6th, 2000
SSH is an encrypted connection to a remote host running an SSH
server. It gives you the ability to log on to a system with an
encrypted session so that everything -- your name and password as
well as your keystrokes -- are unreadable by any sniffer.
https://www.linuxsecurity.com/articles/network_security_article-1057.html
Network Security News:
----------------------
* CERT/CC Current Activity
July 7th, 2000
Just a note to remind everyone that CERT has updated their current
activity list. The wu-ftpd, bind NXT, and port scan reports are
increasing and should be taken seriously. Learn to recognize the
signatures of these attacks, and ensure you are protected.
https://www.linuxsecurity.com/articles/security_sources_article-1070.html
* KPMG releases white paper on cybercrime
July 5th, 2000
A new report on e-commerce and cybercrime provides tips for
governments to consider in order to prevent security breaches. The
white paper, "E-Commerce and Cyber Crime: New Strategies for Managing
the Risks of Exploitation," focuses on businesses, but the issues are
applicable to governments too.
https://www.linuxsecurity.com/articles/government_article-1040.html
* How to protect your network
July 5th, 2000
ParaProtect, a network security portal in Alexandria, Va., reports
that 90 percent of the security breaches its technicians work on are
based on attacks from within. Even more shocking is that upwards of
50 percent are caused by the company's own network administrators.
So what can you do to protect your network? Here's a list of tips
culled from industry analysts, security experts, corporate executives
and agents of the U.S. Secret Service.
https://www.linuxsecurity.com/articles/network_security_article-1050.html
Cryptography News:
-------------------
* Crypto Users Can't See FBI.gov
July 8th, 2000
Is the FBI blocking privacy-equipped browsers from its website? The
question goes unanswered a week after users of a commercial privacy
service found themselves unable to access the Federal Bureau of
Investigation's fbi.gov site.
https://www.linuxsecurity.com/articles/cryptography_article-1079.html
* GlobalNet Adds Philip Zimmermann, Authority on Encryption, to its
Board Of Directors
July 7th, 2000
GlobalNet, Inc. today announced it has added one of the nation's top
authorities on encryption to its board of directors. Philip R.
Zimmermann, senior fellow at Network Consultants and founder of PGP,
Inc., which produced Pretty Good Privacy, the most widely used email
encryption software in the world, has been elected to fill an open
position on GlobalNet's board of directors.
https://www.linuxsecurity.com/articles/general_article-1075.html
* Diffie-Hellman Key Exchange
July 6th, 2000
A colleague recently asked if I could help him understand the
Diffie-Hellman key exchange protocol... without digging through the
math. My answer was "Yes I can, but not easily." Doing so requires a
few diagrams because, in this particular case, a picture is worth at
least a thousand words!
https://www.linuxsecurity.com/articles/cryptography_article-1055.html
* PGP patch prevents remote server crash
July 4th, 2000
A recent report by the Underground Security Systems Research group
identifies a weakness in the PGP Certificate Server code that can
allow a malicious user to crash the authentication server. Network
Associates has released a patch that prevents this particular
vulnerability. With testing help from KeyLabs, BugNet was able to
validate this bug.
https://www.linuxsecurity.com/articles/cryptography_article-1032.html
Vendor/Product/Tools News:
---------------------------
* Security Agency Selects Secure Computing to Provide Enforcement
July 7th, 2000
Here's an older announcement from Secure Computing, but serves as a
precursor to a shortly forthcoming interview with their senior
corporate members. "Secure Computing Corporation announced that it
has been awarded a sole source contract by the National Security
Agency (NSA) to develop a Secure Linux Operating System (OS).
https://www.linuxsecurity.com/articles/vendors_products_article-1072.html
* Secure Computing Announces Availability of SafeWord on Linux
July 6th, 2000
Secure Computing Corporation, from the RSA Conference 2000, today
announced first customer availability of SafeWord, the leading
scalable authentication solution in the industry, on the Linux
operating system (OS). Traditionally, SafeWord running on the UNIX
platform has a history of being the highest performing, most robust
and scalable authentication solution available.
https://www.linuxsecurity.com/articles/vendors_products_article-1066.html
* Fingerprint scanning for smartcards
July 5th, 2000
The promise of combining fingerprint recognition with smartcards is
now a step closer to being fulfilled. Norman Data Defense Systems --
one of the companies working on smartcard data security systems with
Siemens and others -- announced it has succeeded in combining the two
security systems by putting fingerprint recognition directly onto a
smartcard.
https://www.linuxsecurity.com/articles/vendors_products_article-1041.html
* 3Com Introduces Layer 3 Wireless LAN Security Solution
July 5th, 2000
3Com Corporation announced a simple yet powerful solution for
securing data transmitted over a wireless local area network (LAN).
The company's wireless secure tunneling solution adds seamless Layer
3 tunneling, authentication and encryption to the 3Com AirConnect
11Mbps Wireless LAN to address the needs of commercial customers who
must deliver secure wireless connectivity to hundreds or thousands of
users.
https://www.linuxsecurity.com/articles/vendors_products_article-1051.html
* Medusa DS9 Security System
July 4th, 2000
An administrator can create his own security model, which can
complete or override the original UNIX model. I have told you the
principle is simple; however, the actual implementation is a bit
complicated. If you are interested in how, see Resources.
https://www.linuxsecurity.com/articles/vendors_products_article-1030.html
* Security Threats from the Gadgets
July 3rd, 2000
Personal Digital Assistants, such as PalmPilots and Pocket PCs, pose
a security threat for a number of reasons: they are relatively new;
their small size and low cost make them easy to obtain and difficult
to control; they have tremendous connectivity and storage
capabilities; and most of all, they are extremely popular.
https://www.linuxsecurity.com/articles/network_security_article-1024.html
General News:
--------------
* U.S./Europe privacy deal sent back for more talks
July 7th, 2000
A month after the 15 member nations of the European Union approved a
proposed set of data-privacy rules for U.S. companies that do
business in those countries, the European Parliament yesterday voted
to send the so-called safe harbor agreement back to the negotiating
table.
https://www.linuxsecurity.com/articles/privacy_article-1069.html
* Deloitte Publishes E-Commerce Security Report
July 7th, 2000
Deloitte Touche Tohmatsu (DTT) and the Information Systems Audit and
Control Foundation (ISACF) have published a report entitled
"E-commerce Security Enterprise Best Practices." The report is the
result of worldwide survey of professionals in 46 locations,
including Hong Kong, over a period of six months.
https://www.linuxsecurity.com/articles/host_security_article-1077.html
* Digital Signatures May Quicken Pace of E-Business
July 6th, 2000
The law that President Clinton signed last week allowing businesses
and consumers to seal a wide variety of legally binding arrangements
with electronic rather than handwritten signatures raised the speed
limit on e-business development, analysts say.
https://www.linuxsecurity.com/articles/cryptography_article-1060.html
* P3P: A green light for privacy on the Web?
July 6th, 2000
Starting next year, Web sites that violate user privacy are going to
find themselves under an embarrassing cyberspotlight. The sites will
be targeted by a new technology known as the Platform for Privacy
Preferences Project, or P3P. Developed by several companies and
privacy advocates in conjunction with the standards-setting World
Wide Web Consortium (W3C), the technology will alert surfers whenever
they encounter Web sites that seek to collect more data than the user
wants to share.
https://www.linuxsecurity.com/articles/privacy_article-1056.html
* Is Free Software Insecure?
July 4th, 2000
Hari writes, "A quite interesting question addressed "which gives
better security as a generic model of software development, open
source or closed source software?" It goes on to list out some
notable myths on the same and comes to a conclusion that there's
really no reasonable way of implementing security except by peer
review and public scrutiny."
https://www.linuxsecurity.com/articles/general_article-1034.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------