Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Linux Kernel Bug

07/30/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a bug in Linux kernels newer than 2.4.3; a buffer overflow in Solaris' dtmail; vulnerabilities in CylantSecure, PHPLib, top, Apache, tar, Firewall-1, Arkeia backup software, and IRIX's netprint; and talk about the configuration of Cayman DSL routers.

Linux Kernel Bug

Versions of the Linux kernel prior to 2.4.7-pre7 have a bug that under some circumstances can be used by an attacker to load arbitrary kernel modules. Linux Kernels from 2.4.3 have a empty default umask and when one of these kernels boot, if there is not an existing modules.dep file, the kernel will create one with world-writable permissions. Under these circumstances, any local user may add modules to modules.dep and insmod will then load them into the kernel.

Users should verify that the modules.dep file on their system exists and is not world-writable.

CylantSecure

CylantSecure, a Linux kernel patch that is designed to kill applications that deviate from the norm, can be bypassed by an attacker by exploiting a race condition using a kernel module. An exploit for this problem has been released to the public.

Users should watch for an update to CylantSecure.

PHPLib

Alerts this week:

Linux Kernel Bug

CylantSecure

PHPLib

top

Apache

Solaris dtmail

tar

Firewall-1

Arkeia Backup Software

IRIX netprint

Cayman DSL Router

PHPLib version 7.2d has been released by the PHPLib Team. This release fixes a vulnerability in prepend.php3 that can be used by an attacker to execute arbitrary PHP code, with the permissions of the user running the Web server.

The PHPLib Team recommends that users replace any earlier versions of PHPLib with the new version, and cautions users that some applications have been distributed that include a version of PHPLib which should be replaced.

top

Some versions of top, a system-load and process-monitoring utility, have a vulnerability that can be exploited to gain additional privileges on systems that have top installed with set user or group permissions.

It has been reported that this problem was fixed nine months ago under FreeBSD and may have been fixed under other operating systems. Users should check the permissions on top and remove any set user id and set group id bits until they have updated top to a recent version.

Apache

Apache versions 1.3.19 and earlier have been reported to be vulnerable to a bug that can allow a remote attacker to list any directory and view any file in the Web pages tree, regardless of any index files or password protections.

It is recommended that users upgrade to Apache version 1.3.19 or newer as soon as possible.

Solaris dtmail

The Solaris dtmail application is a graphical mail client that is included with the Solaris CDE packages. dtmail has a buffer overflow in the code that handles environmental variables that can be exploited by an attacker to gain mail group permissions. It has been reported that the dtmail distributed with Solaris 8 is not affected by this vulnerability.

Affected users should contact Sun for patches to repair this vulnerability, and should remove the set group id bit from dtmail until it has been patched.

tar

Versions of the tar archive utility below 1.13.19 have no protection against files in unexpected locations being overwritten or created by an attacker using carefully-crafted filenames in a tar archive. Two examples of this type of attack are: file names that have ".." embedded in them, and filenames that use an absolute path.

Users should look carefully at the contents of archives from untrusted sources before unpacking them with the tar command. In some situations it is not enough to list the contents of the tar file, as the ".." can be hidden by using embedded backspace characters. Users should upgrade to version 1.13.19 of tar as soon as it is released.

Firewall-1

Under some circumstances, an unauthenticated user can download a file containing a topology of the network behind the Firewall-1 firewall that includes IP addresses, netmasks, and descriptions. Only Firewall-1 systems that are using SecureRemote are vulnerable to this problem. It has been reported that Firewall-1 version 4.1SP1 will not respond to an unauthenticated request, by default.

Users who are using SecureRemote should turn off unauthenticated topology downloads and distribute them manually, or should implement a shared secret system so that users of SecureRemote can authenticate and download the topology file. It is recommended that users of SecureRemote search the Checkpoint knowledge base for "unauthenticated topology downloads."

Arkeia Backup Software

Arkeia backup software, under some circumstances, writes its database files using world-readable permissions. This can allow a local user to gather information about the directory trees that Arkeia is backing up, regardless of the permissions on the directory tree itself.

Users of Arkeia backup software should modify the directory permissions of /usr/knox and /usr/knox/arkeia so that only authorized users have directory read and execute permissions. It is also recommended that users watch Arkeia for a patch for this problem.

IRIX netprint

The netprint utility installed on all SGI IRIX systems has a vulnerability that can be used by a local attacker to gain root privileges. SGI has reported that IRIX 6.5.13 is not vulnerable.

SGI recommends that users apply a patch for this problem. Patches are available for IRIX 6.5.12m and 6.5.12f. Users of earlier versions of IRIX should remove the set user id and set group id bits from netprint.

Cayman DSL Router

It is reported that Cayman DSL routers are in use and have been installed using the default setup, which does not have administrative or user passwords, and has a Web server that can be used to access administrative commands.

Users of Cayman DSL routers or any similar device should check the configuration of the device to ensure that it is configured in as secure a manner as is possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.