Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a denial-of-service attack against X Window servers; buffer overflows in the Oracle 9iAS Reports Server and Sun's AnswerBook2; and problems in Simpleinit, CGIscript.net scripts, Cisco IP Telephones, Mailman, Sun's
mibiisa, the StepWeb Search Engine, FreeBSD's
accept_filter, and Ghostscript.
There is a potential denial-of-service attack against X Window servers using the Mozilla Web browser. This denial-of-service attack uses a specially-crafted stylesheet that, when loaded by the browser, will crash the X Window System and, under some conditions, crash the system.
Users can protect their systems from crashing by setting
rlimits on the X Window System and font servers. Users should watch their vendor for updated X Window, font server, and Mozilla packages.
Simpleinit, an init application for Linux systems that is included in the
util-linux set of utilities, has a flaw that can be exploited by a local attacker to execute arbitrary code with root permissions. Under some circumstances, a remote attacker may be able to exploit this flaw. A script that automates exploiting the flaw in Simpleinit has been released.
It is recommended that users patch Simpleinit or upgrade to a repaired version as soon as possible.
Multiple CGI scripts written in Perl and distributed through the CGIscript.net Web site have multiple vulnerabilities, including a vulnerability that can be exploited by a remote attacker to execute arbitrary Perl code on the server as the user running the Web server. Scripts reported to be vulnerable include: csGuestBook, csLiveSupport, csNewsPro, csMailto.cgi, csNews.cgi, and csChatRBox.
Affected users should contact CGIscript.net for repaired versions of the scripts.
Several problems have been reported relating to Cisco's IP Telephone products. These problems range from denial-of-service attack vulnerabilities to unauthorized phone configuration.
Cisco IP Phone models 7910, 7940, and 7960 have a vulnerability that can be exploited to modify the configuration of the phone, and other vulnerabilities that can be exploited in denial-of-service attacks against the phone.
The Cisco ATA 186 Analog Telephone Adaptor can be made to reveal its password and then easily reconfigured by a remote attacker. A carefully-crafted HTTP POST will cause the device to display its password.
Cisco has released updates for these problems and recommends that they be applied as soon as possible.
The Mailman mailing list manager has cross-site scripting bugs that can be exploited by a remote attacker to access private information from other mailing list users and, under some conditions, gain access to other users' authentication cookies.
When a system has private Mailman mailing lists and local users, any local user can read the archives of the private mailing lists. It has been reported that this is not planned to be changed and should be kept in mind when private mailing lists are set up.
It is recommended that users of Mailman upgrade to version 2.0.11 as soon as possible to repair the reported cross-site scripting bugs.
The Oracle 9iAS Reports Server has a buffer overflow in a CGI application that can be exploited by a remote attacker to execute arbitrary code with the permissions of the user running the Web server.
It has been reported that Oracle has released patch 2356680 to repair this problem. Affected users should contact Oracle for this patch.
Sun has released security-related patches for problems in the Sun Solstice Enterprise Master Agent,
snmpdx, and the Sun SNMP Agent,
mibiisa. These patches repair format string vulnerabilities and buffer overflows that can be exploited by a remote attacker to execute code as root.
The StepWeb Search Engine is a small search engine that uses a flat file database. Version 2.5 has been reported to have vulnerabilities that can be exploited under some circumstances to add information to the database and view logs of searches.
According to its Web site, the StepWeb Search Engine was last updated 08/09/1998. Users should consider replacing the search engine with other software.
The Sun AnswerBook2 daemon provides Web-based documentation. It is vulnerable to a buffer overflow that can be remotely exploited to execute code with the permissions of the user running AnswerBook2 (daemon, by default). The buffer overflow is in the
gettransbitmap CGI application component of AnswerBook2.
Users should consider disabling AnswerBook2 until a patch has been released by Sun. It has been reported that users can protect against this overflow by disabling the
FreeBSD systems that have configured accept filters may be vulnerable to a denial-of-service attack. Accept filters are not enabled by default on FreeBSD. They are enabled by compiling a kernel with an accept filter option or by loading a filter using
kldload. Some worms, such as Code Red, have been found to cause a denial of service when the HTTP accept filter is enabled.
Affected users should upgrade their system to a repaired version. A possible workaround is to disable any accept filters and reboot the system.
Ghostscript, an application that displays Postscript files and prints them to non-Postscript capable printers, has a vulnerability that can cause arbitrary commands to be executed when a carefully-crafted Postscript file is read.
Users should upgrade to version 6.53 of Ghostscript or install updated packages from their vendor.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.