Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

Security Alerts

A New Version of OpenSSH


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at the latest release of OpenSSH version 3.0.1; buffer overflows in the HP-UX line printer daemon, Berkeley's pmake, SuSE's ziptool, CDE Subprocess Control Service Server, and Open UNIX and UnixWare's PPP Utilities; a minor information leakage problem in OpenSSH and S/Key; and problems in Red Hat's Stronghold, SuSE susehelp, and the Cyrus SASL library.

OpenSSH 3.0.1

The latest release of OpenSSH version 3.0.1 supports SSH protocol versions 1.3, 1.5, and 2.0, and includes support for sftp (both client and server). It fixes a variety of bugs, including a security vulnerability that can allow an unauthorized user to authenticate on systems that have KerberosV enabled, a potential denial-of-service vulnerability, and others.

Users of OpenSSH are encouraged to upgrade.

Line Printer Daemon

The line printer daemon rlpdaemon that is distributed with HP-UX has a buffer overflow that can be exploited by a remote attacker to gain root permissions on the server. HP-UX versions 10.01, 10.10, 10.20, 11.00, and 11.11 are reported to be vulnerable. HP-UX ships with the line printer daemon enabled by default.

Affected users should apply the appropriate patch and should consider restricting access or firewalling the line printer daemon. Administrators of systems not using the line printer daemon system should consider disabling or removing the package.

Berkeley pmake

Berkeley's pmake, a version of make that attempts to create programs in parallel, is vulnerable to a buffer overflow and a format string vulnerability. On systems where pmake is installed set user id root, these vulnerabilities can be exploited by a local user to execute arbitrary code with the permissions of the root user. Versions 2.1.33 and earlier have been reported to be vulnerable.

Users should watch for an updated version of pmake and should remove the set user id bit until pmake has been repaired.

SuSE ziptool

The ziptool application shipped with SuSE Linux has a buffer overflow that can be used, under some circumstances, by a local attacker to execute arbitrary code with root permissions. In order for this attack to be carried out, a Zip drive must be configured and a Zip disk must be inserted.

SuSE has updated the ziptool package and recommends that affected users upgrade as soon as possible.

CDE Subprocess Control Service Server

It has been reported that there is a buffer overflow in the CDE Subprocess Control Service Server dtspcd that affects all Unix systems using Common Desktop Environment (CDE). This buffer overflow can be exploited remotely to execute arbitrary commands with the permissions of the root user. The Subprocess Control Service Server is started by default in all CDE installations, runs as root, and by default will accept remote connections.

It is recommended that users contact their vendor for an update to the CDE Subprocess Control Service Server. Users should also consider limiting access to the CDE Subprocess Control Service Server by using a firewall or a tool such as tcpwrappers.

OpenSSH and S/Key Information Leakage

It has been reported that there are several minor problems with OpenSSH's implementation of the S/Key and OPIE one-time password systems. These problems can be used by an attacker to gather information about a system as part of an attack. The one-time password systems send a challenge string that contains the hash algorithm used, a seed value that changes when the user changes his passphrase, and the number of the password (which can tell the attacker how often and when a user logs in). The OpenSSH S/Key implementation will only provide the challenge string when a user exists and is using one-time passwords. It has been reported that OpenSSH relies on the S/Key library to create fake challenges.

It is not clear if there are good solutions to these problems. Systems that require the security of one-time passwords may also need to limit what addresses can connect by using a firewall or by configuring SSH to limit connections to authorized hosts.

Red Hat Stronghold

Red Hat's Stronghold, a secure SSL Web server based on Apache, has a vulnerability that can be used to disclose sensitive system files and to gather information that can be used as part of an attack on the system.

Two URLs (stronghold-info and stronghold-status) will return information and should have access restrictions placed upon them. Affected users should upgrade to Stronghold/3.0 build 3015 as soon as possible.

SuSE susehelp

The susehelp package is a collection of CGI scripts that provide a help system to users. Vulnerabilities in the package can be exploited by a remote user to execute arbitrary commands with the permissions of the wwwrun-user user account. This vulnerability affects SuSE versions 7.2 and 7.3.

Users should install the updated susehelp package available from SuSE.

Cyrus SASL

The Cyrus SASL library has a format-string bug in one of its logging functions that can be used remotely to execute arbitrary code. The library is used to provide an authentication API for mail clients and servers.

Users of the Cyrus SASL library should upgrade it to a repaired version as soon as possible.

Open UNIX and UnixWare PPP Utilities

The PPP utilities supplied with Open UNIX 8.0.0 and UnixWare 7.1.0 and 7.1.1 have a buffer overflow in several utilities that link to pppattach. These buffer overflows can be used by a local attacker to gain root access.

Caldera recommends that affected users upgrade their PPP binaries and that users who do not use PPP remove the set user id bit from pppattach.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.