Vulnerabilities in FreeBSD04/29/2002
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at buffer overflows in
OpenSSH, Squid, Listar/Ecartis,
slrnpull, and IRIX's
in Sudo, MHonArc, and Mosix; and a local root hole and denial-of-service
attack vulnerability in FreeBSD.
- FreeBSD Standard IO File Descriptors
- FreeBSD Syncache and Syncookies
- IRIX syslogd
Under some conditions OpenSSH is vulnerable to a buffer overflow that
can be used to execute arbitrary code as root. This buffer overflow
affects all versions of OpenSSH that have AFS or Kerberos token
passing compiled and configured. The buffer overflow is locally
exploitable in versions of OpenSSH earlier than 3.2.1; versions of
OpenSSH earlier than 2.9.9 are remotely vulnerable. It is reported
UsePrivilegeSeparation is configured, it is not possible to
exploit this buffer overflow to obtain root permissions.
It is recommended that users apply the patches to OpenSSH that have been made available or watch for updated packages from their vendor.
Sudo is a utility designed to allow the root user to delegate specific tasks that require root's (or some other account's) permissions to specified users. A heap corruption vulnerability has been discovered that may be usable by a local attacker to execute arbitrary code with root permissions.
Version 1.6.6, which repairs this vulnerability, of Sudo has been released. Updated Sudo packages have been announced for Mandrake Linux, Red Hat Linux, Conectiva Linux, Slackware, and Debian. Users should upgrade as soon as possible. If Sudo is not being used, users should consider removing its set user id bit or uninstalling the package.
The Squid Web proxy server has a buffer overflow in its code that deals with compressed DNS replies that will crash the server and may be exploitable by an attacker. This buffer overflow can be exploited using a DNS server under the control of an attacker to create a carefully constructed DNS reply. Vulnerable versions of Squid include Squid-2.3, Squid-2.4, Squid-2.5 before March 12 2002, and Squid-2.6/Squid-HEAD before March 12 2002.
It is recommended that users upgrade to Squid-2.4.STABLE6 or the Squid-2.5 or Squid-2.6/Squid-HEAD nightly snapshots. It is possible to compile Squid so that it uses external DNS server support, but this is not recommended. Updated Squid packages have been announced for Mandrake Linux and OpenLinux.
MHonArc, an application written using Perl that converts email into HTML pages, does not filter all versions of script tags. This can be exploited by an attacker to insert malicious scripts into the HTML email archive that will be executed when the message is viewed in a Web browser.
Users should watch for an updated version of MHonArc and recreate their archives after it is installed.
A buffer overflow vulnerability has been found in the Listar/Ecartis mailing list manager that can be exploited to execute code with the permissions of the user running Listar/Ecartis. A script has been released that automates the exploitation of the buffer overflow.
It is recommended that users upgrade to
soon as possible. Because all the known bugs have not been fixed, it
is also suggested that users watch for and install additional bug
fixes as they become available.
Mosix is a cluster computing system for Linux. It is vulnerable to a denial-of-service attack using malformed packets. In addition, the ClumpOS-Mosix client CD configures VNC with no password set, allowing other machines to gain root access to the ClumpOS-Mosix client machine.
Users should watch for a update to Mosix and the ClumpOS-Mosix client.
keyinit utility, and possibly other set user id utilities,
has a vulnerability that can be used by an attacker to gain additional
permissions. This vulnerability is exploited by closing the standard
in, out, or error file descriptors prior to executing the set user or
group id utility. Steven Bellovin has pointed out that this type
of bug was known as far back as 1987 when it was listed in Henry
suid man page.
Users should upgrade their system to FreeBSD 4.5-STABLE or RELENG_4_5
(4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11), dated after the
correction date. Users should consider removing the set user id bit
keyinit until their system has been upgraded.
A bug in the implementation of
syncookies under FreeBSD
can, under some conditions, cause a system crash. The
syncookies code was added to the TCP/IP stack to increase protection
from SYN flood denial-of-service attacks. The
code was added in the FreeBSD 4.5-RELEASE, and this is the only version
affected. In addition to a deliberate attack, it is possible that normal
TCP/IP traffic can cause a crash.
Users should upgrade their system to 4.5-STABLE or the RELENG_4_5
branch dated after the repair. A partial workaround is to disable
syncookies with the command
sysctl -w net.inet.tcp.syncookies=0.
slrnpull is a tool that will get a small news feed from a NNTP news
server. It is vulnerable to a buffer overflow in the code that
-d command line parameter. As
slrnpull is installed
set user or group id, this buffer overflow can be exploited by a local
attacker to gain additional privileges. A script has been released
that automates the exploitation of this buffer overflow.
It is recommended that users remove the set user id bit from
until it has been repaired.
Snort version 1.8.7beta1 has been released. This new version of Snort
corrects issues relating to the
fragroute tool. Snort users affected by previous problems should
upgrade to this new version.
The version of
syslogd supplied with IRIX 6.5 is vulnerable to a buffer overflow
that can be used by a remote attacker in a denial-of-service attack.
The attacker can use this denial-of-service attack to hide information
relating to other attacks on the system.
SGI recommends that users upgrade to IRIX 6.5.10.
Read more Security Alerts columns.
Return to the Linux DevCenter.