Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts OpenSSL Timing Attack

by Noel Davis
02/24/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in OpenSSL, Oracle, mod_php, MySQL, pam_xauth, VNC, apcupsd, nethack, Rogue, and BitchX.

OpenSSL

A timing-based attack against OpenSSL has been reported. This attack can be used under some conditions to retrieve a text block, such as a user's password. This attack is described in a paper written by Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux that is to be presented at CRYPTO 2003.

The developers of OpenSSL recommend that users upgrade to OpenSSL version 0.9.7a. Users of the OpenSSL 0.9.6* "engine" release that cannot upgrade to 0.9.7a should apply the file openssl-engine-0.9.6i.tar.gz. Users of precompiled packages should watch their vendor for updates to affected packages.

Oracle

Multiple buffer overflows, format string attacks, and other vulnerabilities have been reported in the Oracle8i Database, Oracle9i Application Server, and Oracle9i Database. These vulnerabilities can be exploited by an attacker to execute arbitrary code with the permissions of the oracle account, conduct a denial-of-service attack against Oracle applications, and delete, modify, and add to data stored in the database.

Users should contact Oracle for details on vulnerabilities and availability of patches. It is also recommended that users reduce their risks by using tools such as a firewall to restrict access to their databases and other Oracle servers, limit the permissions that are available to user accounts used to run Oracle applications, and disable Oracle services that are unused or not needed.

mod_php

Version 4.3.0 of the Apache PHP module mod_php contains a bug in the code that handles the command line option --enable-force-cgi-redirect and the php.ini option cgi.force_redirect. An attacker can exploit this bug to arbitrarily access any file on the system that is readable by the user running the web server. Under some conditions, the attacker may be able to execute arbitrary PHP code if they can inject it into a file readable by the web server (for example, the web server's log files).

The PHP Group has released version 4.3.1 of PHP. Users of binary packages should watch their vendor for an update and should consider disabling mod_php until it has been repaired.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

MySQL

A double free() bug in MySQL's mysql_change_user() function can be exploited, under some circumstances, by an attacker as a denial-of-service attack against the database server. The attacker must be able to log into the database, and must use a specially-modified MySQL client to exploit this bug.

Users should upgrade to MySQL release 3.23.55 to repair this bug.

pam_xauth

The PAM module pam_xauth incorrectly handles authorization information for the root user and, under some conditions, could be exploited to gain root permissions on a system. Some versions of pam_xauth will forward the MIT-Magic-Cookie for the root user when the root user uses su to change to that user. This may be exploitable in several ways to gain root access to the machine. Versions of pam_xauth distributed with Red Hat Linux 7.1, 7.2, 7.3, and 8.0; Mandrake Linux 8.1, 8.1/IA64, 8.2, 8.2/PPC, and 9.0; and Mandrake's Multi Network Firewall 8.2 are reported to be vulnerable.

Affected users should contact their vendor for updated packages. Updated packages have been released by Mandrake and Red Hat.

VNC

VNC (Virtual Network Computing) is used to provide a remote graphical virtual console over a network. VNC is vulnerable to two attacks that may be exploitable by a remote attacker to gain access to the VNC server. The two vulnerabilities are: the MIT X cookie used for authentication by the VNC server is created with a insufficient random-number generator, and the VNC DES authentication scheme has a bug that can be exploited by the attacker by sniffing the connection and "replaying" the authentication response within the same second.

Users should watch their vendors for updated VNC packages. It is strongly suggested that VNC connections be made using an encryption package such as SSH.

apcupsd

The apcupsd daemon provides power management and the control of most of APC's UPS models. apcupsd is vulnerable to buffer overflows in the code that handles the network information server and has a remote root vulnerability in slave setups.

It is recommended that users upgrade to either the stable release of apcupds version 3.8.6 or the unstable version 3.10.5 as soon as possible. Users should consider disabling apcupsd until it has been updated.

nethack

There is a buffer overflow in the game nethack that can be exploited by a local attacker to execute arbitrary code. On systems where nethack is installed with a set user id bit (Red Hat Linux and Gento Linux both install nethack set user id games, for example) the attacker can gain access to the user id games.

Users should remove the set user id bit from nethack and should upgrade the game as packages become available.

Rogue

The role playing game Rogue has a buffer overflow in the save game function that can be exploited to execute code with increased permissions of games, in some distributions.

Users should check the permissions of Rogue and remove any set user id bit or set group id bits, and should upgrade the game as packages become available.

BitchX IRC Client

There is a denial-of-service vulnerability in the BitchX IRC Client. Sending BitchX a badly-formed RPL_NAMREPLY numeric 353 will cause it to crash.

Users should watch their vendor for updated packages that repair this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.


Copyright © 2009 O'Reilly Media, Inc.