LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts

Clean Up Your Code with Flawfinder

05/29/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in the FTP daemon included in the krb5-workstation package, Debian's ftpd, HP OpenView NNM v6.1, and ncurses; temporary-file race conditions in scoadmin and InoculateIT; problems in Cisco CBOS, Cisco IOS, and Solaris 8 fingerd; new versions of OpenSSH and Red Hat's mktemp; and two tools to scan C and C++ source code for potential errors.

OpenSSH 2.9

OpenSSH 2.9, a free version of the SSH protocol suite, has been released and users are encouraged to upgrade.

krb5 Workstation ftpd

The version of krb5-workstation shipped with Red Hat Linux 6.2, 7.0, and 7.1 has a buffer overflow in the gssapi-aware ftpd daemon. This buffer overflow could potentially be used by an attacker to execute arbitrary code on the server with root privileges. The buffer overflow is located in the code that handles authentication requests.

Red Hat recommends that users upgrade to the latest krb5-workstation package available for their version of Red Hat Linux.

Debian ftpd

The FTP daemon included with Debian 2.2 has been reported to have a buffer overflow that could be exploited by an attacker to run arbitrary code as the root user. The buffer overflow occurs in the SITE command.

Users should watch Debian for an updated version.

Red Hat mktemp

The mktmp application distributed with Red Hat Linux 5.2 and 6.2 did not support the -d parameter to safely create temporary directories.

Alerts this week:

OpenSSH 2.9

krb5 Workstation ftpd

Debian ftpd

Red Hat mktemp

Cisco CBOS

Cisco IOS

HP OpenView NNM v6.1

scoadmin

InoculateIT

ncurses

Flawfinder and RATS

Solaris 8 fingerd

Comment on this articleDo you think programs like Flawfinder and RATS can really create more secure code?
Post your comments

A new mktemp package has been released (mktemp-1.5-2.1.5x) that provides this functionality. Red Hat recommends that affected users upgrade.

Cisco CBOS

Cisco CBOS is the operating system used by the Cisco 600 series of routers. There are multiple problems that have been identified with Cisco CBOS including several denial-of-service vulnerabilities, some passwords are stored in the clear in the NVRAM, and it creates predictable TCP Initial Sequence Numbers. These vulnerabilities are known to affect the following versions of CBOS: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7, and 2.3.8. Affected versions of Cisco CBOS are used in the Cisco 627, 633, 673, 675, 675E, 677, 677i, and 678 routers.

Cisco recommends that affected users upgrade their router to CBOS version 2.3.9, 2.4.1, or 2.4.2.

Cisco IOS

Any connection to a set of specific TCP ports on an affected router or switch will cause memory corruption that will cause the router to reset at the next command that causes the configuration file to be accessed. This problem affects IOS software version 12.1(2)T and 12.1(3)T on Cisco routers including the AGS/MGS/CGS/AGS+, IGS, RSM, 8xx, ubr9xx, 1xxx, 25xx, 26xx, 30xx, 36xx, 38xx, 40xx, 45xx, 47xx, AS52xx, AS53xx, AS58xx, 64xx, 70xx, 72xx (including the ubr72xx), 75xx, and 12xxx series; recent versions of the LS1010 ATM switch; some versions of the Catalyst 2900XL LAN switch; and the Cisco DistributedDirector.

Affected users should contact Cisco to determine the appropriate new version of IOS for their devices.

HP OpenView NNM v6.1

The set user ID executable ecsd, that is part of the HP OpenView NNM v6.1 package, has a buffer overflow that could be used by an attacker to execute arbitrary code with the permissions of the root user.

It is reported that Hewlett-Packard is working on a patch for this problem and users should watch for an update to the HP OpenView NNM v6.1 package.

scoadmin

It has been reported that the OpenServer scoadmin system administration tool has a temporary-file race condition that can allow an attacker to overwrite any file on the system.

Users should watch SCO for a patch and should consider not using the scoadmin utility on a multiuser system until it has been fixed.

InoculateIT

InoculateIT is a virus scanner for Unix that is free for personal use. Under some conditions there is a temporary-file race condition that can be used by a local attacker to overwrite some files on the system. It is unclear at this time which files can be overwritten and what is the extent of the vulnerability.

Users of InoculateIT should exercise care on multiuser systems and should watch the vendor for a response and a patch for this vulnerability.

ncurses

Versions of the ncurses library earlier to 5.2 have a buffer overflow that can be used by an attacker to execute arbitrary code in set user ID and set group ID applications with the permissions the application is running under. This problem only affects applications that use the ncursesW library for cursor movement.

Users should upgrade their ncurses library to version 5.2 or newer as soon as possible.

Flawfinder and RATS

Two new tools have been announced that scan C and C++ source code for potential security problems. RATS was developed by Secure Software Solutions and Flawfinder was developed by David Wheeler. Both tools are released under the GPL (GNU Public License) -- and Secure Software Solutions and David Wheeler have stated that they plan to coordinate future development.

Solaris 8 fingerd

The Solaris 8 finger daemon will display the contents of any world readable file that is linked to from the users .plan file. Under some configurations this could be a problem but under most configurations, it is not.

On all but one system I have administered, I have turned off access to the Finger daemon. On the one exception, all of the users can read any world-readable file and this bug would still not be a problem. If your system is running the finger daemon and it is not needed -- turn it off. Otherwise, watch Sun for a patch.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: