Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Portable OpenSSH, Portable OpenSSH under AIX, ATM on Linux, Qpopper's
poppassd, Monkey HTTPd, Red Hat's
pptpd, EPIC4, HPUX's
rexec, and vulnerabilities in Cisco equipment.
A remote attacker is reported to be able to identify valid user IDs of
users of systems running Portable OpenSSH with PAM enabled. This
vulnerability is caused by Portable OpenSSH having a delay when an
attempt to log in using a valid user ID and an invalid password and
having little or no delay when making an attempt to log in using an
invalid user ID. This problem is reported to affect Debian GNU/Linux,
Red Hat Linux, and Mandrake Linux; it may also affect SuSE Linux,
Caldera/SCO Linux, Apple OS-X, and other Linux distributions that use
OpenSSH_3.6.1p1 or earlier with PAM support compiled in (
A proof-of-concept application has been developed that exploits this
vulnerability has been released to the public.
Users should upgrade to OpenSSH 3.6.1p2 or newer.
It has been reported that versions of Portable OpenSSH prior to 3.6.1p2, when compiled under AIX with GCC or other non-IBM compilers, will first look for its shared libraries in its current working directory. The runtime linker under AIX has a flaw in that by default, it will link applications so that they will look for shared (dynamic) libraries in the current directory. Versions of Portable OpenSSH prior to version 3.6.1p2 have code to work around the flaw in the linker, but only if the IBM compiler is selected.
Portable OpenSSH 3.6.1p2 uses the proper compiler flags to work around this problem. One possible work around is to remove the set-user-ID bits from all SSH applications. Removing set-user-ID bits will also remove some functionality from SSH.
The experimental code that supports ATM under Linux has a bug that can be exploited by a local attacker to execute arbitrary code with root permissions. Code to automate the exploitation of this bug has been released to the public.
Users should watch sourceforge.net/projects/linux-atm for updates to this software.
poppassd is a daemon provided with Qpopper that provides
remote users the ability to change their passwords. A flaw in
poppassd is reported to be exploitable by a local user to gain root
It is recommended that the set-user-ID bit be removed from
until it has been repaired.
The Monkey web server is vulnerable to a buffer overflow in the code
POST requests. This buffer overflow may be exploitable
by remote attackers to execute arbitrary code as the user that is
running the web server. Monkey HTTPd v0.6.1 is reported to be
It is recommended that users upgrade to Monkey HTTPd version 0.6.2 as soon as possible. Users that are unable to upgrade Monkey HTTPd immediately should consider disabling it until it is upgraded.
Red Hat has released new
mod_auth_any packages for Red Hat Linux 7.2
mod_auth_any is an Apache module that Apache uses to call
external applications to verify user passwords. The new
package repairs a problem that could be used by a remote attacker to
execute shell commands with the permissions of the user running the
web server. In addition, the current version of
mod_auth_any is reported
to not differentiate between a non-response due to a crash of the
called application and a success.
Red Hat recommends that affected users upgrade to the proper errata package as soon as possible.
pptpd, a Virtual Private Networking (VPN) Server, has a buffer
overflow that can be exploited by a remote attacker to execute
arbitrary code as root. It is reported that an automated script to
exploit this buffer overflow has been made available.
Users should watch their vendor for updated packages that fix the buffer overflow. Packages for Debian GNU/Linux have been released.
Also in Security Alerts:
EPIC4 (the Enhanced Programmable IRCII Client), a client for Internet Relay Chat, is vulnerable to buffer overflows that can be exploited by a remote server to which the client has connected. The buffer overflows are exploitable as a denial-of-service attack and, under some conditions, may be used to execute arbitrary code on the local machine with the permissions of the user running the client.
Users should watch their vendor for an update to EPIC4 that repairs the buffer overflows and should be careful about to which IRC servers they connect.
rexec command under HPUX B.10.20 has been reported to have a
buffer overflow in the code that handles the "
-l" command line option.
Users should watch HP for a Security Bulletin and a patch for this
problem. Users should consider disabling
recex until it has been
Cisco has announced denial-of-service vulnerabilities in the FTP or Telnet services of certain Cisco equipment. These vulnerabilities were found using the Nessus security scanner. Affected equipment includes: "Cisco ONS15454 Optical Transport Platform, the Cisco ONS15327 Edge Optical Transport Platform, the Cisco ONS15454SDH Multiplexer Platform, and the Cisco ONS15600 Multiservice Switching Platform." The recommended configuration, where the control cards for these machines are connected to a private network that is not connected to the Internet, will prevent the exploitation of these vulnerabilities by outside attackers.
Cisco has released upgraded software fixes for these problems and recommends that affected users upgrade as soon as possible.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.