Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in the FTP daemon included in the
krb5-workstation package, Debian's
ftpd, HP OpenView NNM v6.1, and
ncurses; temporary-file race conditions in
scoadmin and InoculateIT; problems in Cisco CBOS, Cisco IOS, and Solaris 8
fingerd; new versions of OpenSSH and Red Hat's
mktemp; and two tools to scan C and C++ source code for potential errors.
OpenSSH 2.9, a free version of the SSH protocol suite, has been released and users are encouraged to upgrade.
The version of
krb5-workstation shipped with Red Hat Linux 6.2, 7.0, and 7.1 has a buffer overflow in the
gssapi-aware ftpd daemon. This buffer overflow could potentially be used by an attacker to execute arbitrary code on the server with root privileges. The buffer overflow is located in the code that handles authentication requests.
Red Hat recommends that users upgrade to the latest
krb5-workstation package available for their version of Red Hat Linux.
The FTP daemon included with Debian 2.2 has been reported to have a buffer overflow that could be exploited by an attacker to run arbitrary code as the root user. The buffer overflow occurs in the
Users should watch Debian for an updated version.
mktmp application distributed with Red Hat Linux 5.2 and 6.2 did not support the
-d parameter to safely create temporary directories.
Alerts this week:
Do you think programs like Flawfinder and RATS can really create more secure code?
mktemp package has been released (
mktemp-1.5-2.1.5x) that provides this functionality. Red Hat recommends that affected users upgrade.
Cisco CBOS is the operating system used by the Cisco 600 series of routers. There are multiple problems that have been identified with Cisco CBOS including several denial-of-service vulnerabilities, some passwords are stored in the clear in the NVRAM, and it creates predictable TCP Initial Sequence Numbers. These vulnerabilities are known to affect the following versions of CBOS: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7, and 2.3.8. Affected versions of Cisco CBOS are used in the Cisco 627, 633, 673, 675, 675E, 677, 677i, and 678 routers.
Cisco recommends that affected users upgrade their router to CBOS version 2.3.9, 2.4.1, or 2.4.2.
Any connection to a set of specific TCP ports on an affected router or switch will cause memory corruption that will cause the router to reset at the next command that causes the configuration file to be accessed. This problem affects IOS software version 12.1(2)T and 12.1(3)T on Cisco routers including the AGS/MGS/CGS/AGS+, IGS, RSM, 8xx, ubr9xx, 1xxx, 25xx, 26xx, 30xx, 36xx, 38xx, 40xx, 45xx, 47xx, AS52xx, AS53xx, AS58xx, 64xx, 70xx, 72xx (including the ubr72xx), 75xx, and 12xxx series; recent versions of the LS1010 ATM switch; some versions of the Catalyst 2900XL LAN switch; and the Cisco DistributedDirector.
Affected users should contact Cisco to determine the appropriate new version of IOS for their devices.
The set user ID executable
ecsd, that is part of the HP OpenView NNM v6.1 package, has a buffer overflow that could be used by an attacker to execute arbitrary code with the permissions of the root user.
It is reported that Hewlett-Packard is working on a patch for this problem and users should watch for an update to the HP OpenView NNM v6.1 package.
It has been reported that the OpenServer
scoadmin system administration tool has a temporary-file race condition that can allow an attacker to overwrite any file on the system.
Users should watch SCO for a patch and should consider not using the
scoadmin utility on a multiuser system until it has been fixed.
InoculateIT is a virus scanner for Unix that is free for personal use. Under some conditions there is a temporary-file race condition that can be used by a local attacker to overwrite some files on the system. It is unclear at this time which files can be overwritten and what is the extent of the vulnerability.
Users of InoculateIT should exercise care on multiuser systems and should watch the vendor for a response and a patch for this vulnerability.
Versions of the
ncurses library earlier to 5.2 have a buffer overflow that can be used by an attacker to execute arbitrary code in set user ID and set group ID applications with the permissions the application is running under. This problem only affects applications that use the
ncursesW library for cursor movement.
Users should upgrade their
ncurses library to version 5.2 or newer as soon as possible.
Two new tools have been announced that scan C and C++ source code for potential security problems. RATS was developed by Secure Software Solutions and Flawfinder was developed by David Wheeler. Both tools are released under the GPL (GNU Public License) -- and Secure Software Solutions and David Wheeler have stated that they plan to coordinate future development.
The Solaris 8 finger daemon will display the contents of any world readable file that is linked to from the users
.plan file. Under some configurations this could be a problem but under most configurations, it is not.
On all but one system I have administered, I have turned off access to the Finger daemon. On the one exception, all of the users can read any world-readable file and this bug would still not be a problem. If your system is running the finger daemon and it is not needed -- turn it off. Otherwise, watch Sun for a patch.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.