+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 24, 2000 Volume 1, Number 13 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. This week, advisories for the nfs-utils vulnerability were released. Although there are currently no known exploits for this bug, in theory, it can be used for gaining root access remotely. Advisories for nkitb, LISTSERV, wu-ftpd, gpm, and dhcp were also released. In the news, a paper titled "Deploying Portsentry" provides a step-by-step guide to setting up the popular port-scan detection package, Portsentry. The paper explains how to configure the portsentry.conf file, advanced stealth options, advanced_exclude response options, and how to configure external commands (retaliation scripts). If you have not installed portsentry, you may want to consider obtaining it. http://www.psionic.com/abacus/portsentry/ Our feature this week, "Advanced Access Control with the Trustees Project," by Dave Wreski, is an interview with Slava Zavadsky regarding the work his organization has done. The Linux Trustees Project is an effort to create improved access control and advanced file permission management similar to other operating systems. http://www.linuxsecurity.com/feature_stories/feature_story-60.html Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version Available: http://www.linuxsecurity.com/newsletter.html --------------------- Advisories This Week: --------------------- * Mandrake: dhcp vulnerability July 22nd, 2000 All versions of the ISC DHCP client program, dhclient, are vulnerable to a root attack by a corrupt DHCP server. This version fixes the vulnerability. Versions of Linux Mandrake prior to 7.0, while including the ISC DHCP server, do not include the DHCP client and are therefore not subject to this vulnerability. http://www.linuxsecurity.com/advisories/mandrake_advisory-573.html * RedHat: Updated PAM packages are available July 22nd, 2000 Workstations running a display manager may potentially allow remote users to access console devices. http://www.linuxsecurity.com/advisories/redhat_advisory-574.html * RedHat: UPDATE: nfs-utils vulnerability July 21st, 2000 The rpc.statd daemon shipped in Red Hat Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a remote root break-in. Version 0.1.9.1 of the nfs-utils package corrects the problem. Although there is no known exploit for the flaw in rpc.statd, Red Hat urges all users running rpc.statd to upgrade to the new nfs-utils package. http://www.linuxsecurity.com/advisories/redhat_advisory-572.html * Caldera: DoS in gpm July 20th, 2000 There are security problems within gpm (General Purpose Mouse support daemon) which allow removal of system files and also exhibit a local denial of service attack. http://www.linuxsecurity.com/advisories/caldera_advisory-571.html * Caldera: rpc.statd information July 19th, 2000 Recently, a vulnerability was discovered in the rpc.statd server, which can be used to obtain root privilege remotely. rpc.statd should not be confused with rpc.rstatd. The former implements the Network Status Monitor protocol, which is used by the NFS locking functionality. The latter allows remote clients to query a host's statistics (such as load average etc). http://www.linuxsecurity.com/advisories/caldera_advisory-569.html * Mandrake: nfs-utils vulnerability July 19th, 2000 A bug recently discovered in the nfs-utils package can theoretically be used for gaining remote root access. While there are currently no known exploits for this bug, we recommend upgrading to the latest version which fixes the bug. http://www.linuxsecurity.com/advisories/mandrake_advisory-568.html * TurboLinux: wu-ftpd-2.6.0 and earlier July 19th, 2000 A buffer overrun exists in wu-ftpd versions prior to 2.6.1. Due to improper bounds checking, SITE EXEC may enable remote root execution, without having any local user account required. http://www.linuxsecurity.com/advisories/turbolinux_advisory-570.html * Trustix: nfs-utils vulnerability July 18th, 2000 A bug recently discovered in the nfs-utils package can theoretically be used for gaining remote root. While there is currently no known exploits for this hole "in the wild", we suggest that all users of Trustix Secure Linux 1.0x and 1.1 upgrade. http://www.linuxsecurity.com/advisories/other_advisory-566.html * Mandrake: usermode vulnerability July 18th, 2000 A bug existed in the usermode package that permitted users to reboot or halt the system without having root access. This update removes those files associated with allowing users access to reboot, shutdown, halt, or poweroff the system. http://www.linuxsecurity.com/advisories/mandrake_advisory-567.html * LISTSERV web archive remote overflow July 18th, 2000 The L-Soft LISTSERV web archive (wa,wa.exe) component contains an unchecked buffer allowing remote execution of arbitrary code with the privileges of the LISTSERV daemon. http://www.linuxsecurity.com/advisories/other_advisory-565.html * Stalker CommuniGate Pro vulnerability July 18th, 2000 CommuniGate provides a useful mapping to access the Web User Guide, which maps the URL /Guide/ to a directory in the CommuniGate sub tree. The built-in web server suffers of the well-known "../.." web server problem. If we request a document from the administrative web server /Guide/ mapping, using the "../.." technique, we get to see the file contents http://www.linuxsecurity.com/advisories/other_advisory-564.html * RedHat: Updated package for nfs-utils available July 17th, 2000 The rpc.statd daemon in the nfs-utils package shipped in Red Hat Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a remote root break-in. http://www.linuxsecurity.com/advisories/redhat_advisory-562.html * SuSE: nkitb vulnerability July 17th, 2000 It may be possible for an attacker to modify his/her DNS record to execute abitrary machine code as root while connecting to the standard ftp daemon. http://www.linuxsecurity.com/advisories/suse_advisory-561.html * Conectiva: nfs-utils vulnerability July 17th, 2000 There is a problem in the nfs-utils packag that could lead to a remote root exploit. http://www.linuxsecurity.com/advisories/other_advisory-563.html ----------------------- Top Articles This Week: ----------------------- Host Security News: ------------------- * Deploying Portsentry July 21st, 2000 And then it dawned on me that by simply scanning subnets your average script kiddie didn't need to know what my site was all about at all. He or she could just scan en masse for open ports and an easy way in and then plant a root kit for laughs or turn my machine into a spam forwarding station. I got a copy of SATAN and ran it against my own site. I was astonished. Every port, that could be, was open and identifiable to anyone on the internet. http://www.linuxsecurity.com/articles/host_security_article-1181.html * Tech View: How 'buffer overflow' attacks work July 20th, 2000 A "buffer overflow" attack deliberately enters more data than a program was written to handle. The extra data, "overflowing" the region of memory set aside to accept it, overwrites another region of memory that was meant to hold some of the program's instructions. The values thus introduced become new instructions that give the attacker control of the target computer. http://www.linuxsecurity.com/articles/server_security_article-1175.html * Maximizing Apache Server Security July 19th, 2000 An extensive article on Apache security. However, does "free" come at a price when it comes to security? It doesn't have to. The diligent network manager will quickly recognize the advantages of choosing a platform that is field-tested on more than six million Web servers and runs on 17 operating systems. http://www.linuxsecurity.com/articles/server_security_article-1167.html Network Security News: ---------------------- * Why Do I Have to Tighten Security on My System? July 20th, 2000 Again and again, when considering system security, people tell me, "I already patch my system." I try to explain to them, as I will here, why they're still vulnerable, even if they patch and read BugTraq regularly. http://www.linuxsecurity.com/articles/host_security_article-1168.html * Security guru: Napster a security risk July 20th, 2000 Corporate networks that allow Napster downloads are sitting ducks for hackers, says one network security expert. "We call it risky Internet behavior," says Chris Rouland, director of research at Atlanta-based Internet Security Systems Inc., a leading computer security firm. http://www.linuxsecurity.com/articles/host_security_article-1174.html * Secure Directory Services for E-Business, Part 3 July 19th, 2000 The threats to a directory are many, and if appropriate safeguards are not maintained, a company may not even know when a directory has been compromised. The primary threats include theft, destruction and alteration of information (including user privileges.) http://www.linuxsecurity.com/articles/network_security_article-1166.html * IPSec - We've Got a Ways to Go July 19th, 2000 IPSec, supposedly the next great thing that will fix most (if not all) our network security problems. No longer will attackers be able to sniff network traffic, hijack connections or spoof servers. Hijacking domain names will be impossible with DNSSEC, and redirecting people to fake Websites will be a thing of the past. Or will it? There are currently a lot of problems and shortcomings with IPSec that prevent the majority of network traffic from being encrypted. http://www.linuxsecurity.com/articles/network_security_article-1160.html * RootPrompt: My experience with being cracked July 19th, 2000 I emailed my findings to the systems admin and the owner of the ISP, including the backdoor password and how to use it, with the suggestion that they should backup everything, wipe the machine, and load a current version of Red Hat (6.0 at the time) with the latest patches. They replied that they would look into it." http://www.linuxsecurity.com/articles/host_security_article-1163.html * ADSL fundamentally insecure - BT July 18th, 2000 The head of broadband services at BT has acknowledged that its implementation of ADSL lacks security and it will be up to third parties to ensure customers' data is unhackable. Chris Gibbs, who is masterminding the introduction of ADSL in the UK for BT, said that the use of a fixed IP address in the implementation it expects to roll out early next year, meant that unless steps were taken by its third-party resellers, data on users' PCs could be accessed by hackers. http://www.linuxsecurity.com/articles/network_security_article-1151.html Cryptography News: ------------------ * Encryption export policies updated July 17th, 2000 The United States on Monday announced an update to its encryption export policy affecting companies that sell encryption software to users in the 15 European Union nations and in eight other countries that are U.S. allies. http://www.linuxsecurity.com/articles/cryptography_article-1150.html * Administration Announces New Encryption Regulations July 17th, 2000 The Clinton administration today said it plans to change laws governing the export of powerful encryption technologies to allow export of all information-scrambling products to any end user in the European Union and to eight other trading partners. http://www.linuxsecurity.com/articles/government_article-1143.html Vendor/Product/Tools News: -------------------------- * Check Point surpasses results, sees gains July 21st, 2000 Surging demand for secure Internet connections helped online security company Check Point Software Technologies Ltd. (CHKP.O) more than double its earnings in the latest quarter, beating forecasts, the company said on Wednesday. http://www.linuxsecurity.com/articles/vendors_products_article-1177.html * Biometrics Meet Wireless Internet July 19th, 2000 Identix Inc. - a Motorola Inc.-funded maker of fingerprint identification devices - last week launched a division that will offer biometric authentication services to wireless and Internet service providers. The technology will allow customers of wireless services and products to authenticate their identities when conducting electronic transactions, according to Identix. http://www.linuxsecurity.com/articles/vendors_products_article-1162.html * Signing Up to Be Surveilled July 18th, 2000 One company is making it easier for folks to "track" anyone, by allowing them to pull up a map of the person's location on a personal digital assistant (PDA) or computer. Fleet Tracking lets businesses such as taxi companies and delivery services keep tabs on their employees. L411, a consumer-oriented directory assistance, allows subscribers to call switchboard operators who can view a map and identify where a call is being made from. http://www.linuxsecurity.com/articles/privacy_article-1152.html General News: ------------- * Banning secret workplace snooping July 21st, 2000 A group of bipartisan lawmakers introduced a bill today that would ban companies from secretly monitoring employees' electronic communications. The bill wouldn't prohibit companies from snooping, but would require them to disclose their monitoring practices to employees when they are hired and to update them on an annual basis. http://www.linuxsecurity.com/articles/privacy_article-1182.html * Fighting a losing battle on the front lines of security July 20th, 2000 You sacrifice convenience for security and security for convenience. For which goal was your computer network built? In the realm of human endeavor, there is usually a simple logic applied to the process of building things. This logic is seen in the way houses, computers, a even cans of mandarin oranges are built. http://www.linuxsecurity.com/articles/general_article-1173.html * .comment: Service Security -- Where Is It? July 19th, 2000 I have a bone to pick with most, maybe all, Linux distributors: Why in the world do they ship such security nightmares? To their credit, many stay on top of security issues, sending urgent messages to registered users and mailing list subscribers when a potential security exploit is found in a particular package, along with workarounds, updated packages, or both. http://www.linuxsecurity.com/articles/general_article-1165.html * ACLU Requests Source to 'Carnivore' July 19th, 2000 In what may be the first request of its kind, the American Civil Liberties Union is asking the Federal Bureau of Investigation to disclose the computer source code and other technical details about its new Internet wiretapping programs. (Carnivore) http://www.linuxsecurity.com/articles/privacy_article-1164.html * How to be stupid by mutual agreement July 18th, 2000 A reader was somewhat surprised by his ISP's apparent disregard for security when he received an email requesting his username and password. The request came as part of an update email from themutual.net, telling him what news features had been added, what its "partners" could offer them and why themutual.net was the only ISP he should even consider. Fair enough. http://www.linuxsecurity.com/articles/privacy_article-1155.html * EarthLink claims Carnivore can cause technical problems July 17th, 2000 Saying it could cause technical problems and bring part of its system down, EarthLink Inc., one of the country's largest Internet service providers (ISPs), has reportedly refused to install a new FBI electronic surveillance device on its network. http://www.linuxsecurity.com/articles/privacy_article-1138.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------