Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this week's column, we look at problems in OpenSSH, HACMP, CheckPoint Firewall, Apache on Mac OS X, Websphere, Red Hat's
setserial, PGP Keyserver, and
Versions 2.5.x through 2.9.x (prior to 2.9.9) of OpenSSH have a bug that can be exploited by an attacker to connect from a host even if OpenSSH has been configured not to allow connections from that host. This affects systems that use the
from= key file option and have both RSA and DSA keys in a user's
Also, under some circumstances, an attacker can use the
sftp component of OpenSSH to avoid access controls on a user account and gain unauthorized access and privileges. (
sftp provides an interface to OpenSSH users similar to that of a FTP server.) OpenSSH allows the administrator to place many restrictions on a user, including which commands they can run, where they can connect from, and so forth. These restrictions are not all applied to the
sftp server that is enabled by default in OpenSSH.
Users should upgrade to OpenSSH version 2.9.9 as soon as possible to fix the host connection bug, and they should disable
sftp if they are affected and it is not needed. If
sftp is needed and they are affected by this problem, then users should upgrade to the current CVS version or watch for a new release.
Mandrake has released a new OpenSSH package to repair a problem that was introduced in their last update that caused OpenSSH to not work with earlier versions of OpenSSH and SSH. It is not clear what other bugs are repaired in this new package.
It has been reported that IBM's HACMP 4.4 clustering software may be crashed by a port scan.
Several reports have stated that upgrading to Maintenance Level 7 on AIX 4.3.3 will fix this problem. Affected users should contact IBM for more information.
CheckPoint Firewall has a vulnerability that can be used by a remote attacker as part of a denial-of-service attack and used by a local attacker to overwrite any file on the system. The vulnerability is caused by the Log Viewer application, allowing a user to save the log file to any location on the system as the root user. This vulnerability has been reported to affect versions 3.0b, 4.0, and 4.1 SP2.
It has been reported that this problem has been corrected in CheckPoint Firewall version 4.1 SP4.
If Apache is used to serve files that are stored on Mac OS X's HFS+ file system, remote users can learn the names of all files in a directory, regardless of restrictions configured in Apache, and may be able to retrieve some of the content of some files even if the files are not readable by the Web server.
The Mac OS X Finder creates a file in each directory named
.DS_Store. This world-readable file contains a list of all files in the directory and some additional binary data.
There may also be a file named
.FBCIndex in each directory that may contain data from files that are not normally readable by the Web server.
Two suggestions to work around these problems are to only use UFS file systems to store Web pages, or to configure Apache to not serve any file that has a name that begins with a dot (hidden files). It is reported that the following will work to block hidden files:
<Files ~ "^\.[^.]"> Order allow,deny Deny from all </Files>
Websphere has a feature that can be used to generate session IDs that can be used to track, identify, and authenticate users once they have logged in. This feature has a flaw that causes the session IDs to be predictable. This can be used by an attacker to easily find a working session ID and gain unauthorized access to the application. This flaw affects Websphere Application Server versions 3.02, 3.5.1, 3.5.2, and 3.5.3.
It is recommended that affected users install the appropriate patch as soon as possible. These patches will have Websphere generate random session IDs, using an algorithm based on JCE. IBM has recommended that users not rely on the session ID alone to secure the session.
setserial initscrips supplied with Red Hat Linux are vulnerable to a temporary file race condition that may be usable by an attacker to overwrite arbitrary files with the permissions of the root user. The
setserial package is not installed by default. Users can test their vulnerability to this problem by issuing the following two commands:
/sbin/modprobe -l | grep '/serial\.o'
If both of the commands have output, the system is vulnerable.
Red Hat recommends that users not use the initscript that came with the
setserial package. If the system requires adjustments of its serial port settings, Red Hat recommends that a kernel be used that has the serial drivers compiled in. Users should watch Red Hat for a long term solution.
PGP Keyserver has a misconfiguration that may allow a remote attacker to gain unauthorized access to the administrative Web interface.
Users should contact Network Associates for a solution to this problem.
The fax package
hylafax is vulnerable to several format-string attacks that can be used to execute arbitrary code. On FreeBSD systems,
hylafax is installed set user id uucp. This vulnerability can be used by an attacker to execute code as the uucp user, and may be leveraged to gain root privileges. It has been reported that on Debian and Mandrake systems,
hylafax is not installed with a set user id bit and, while vulnerable to the format string attack, it can not be used to gain additional privileges.
It is suggested that users of
hylafax remove any set user id bits until the software has been patched or updated.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.