LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts Linux Kernel Problems

by Noel Davis
12/15/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, rsync, cdwrite, 4inarow, CVS, Ebola, net-snmp, lftp, and irssi.

Linux

A dangerous bug in the brk() system call in the Linux kernel can be used by an attacker to gain root permissions. The bug allows a user to request more memory than the maximum amount allowed and gain access to kernel memory in user space. Exploit programs that automate the exploitation of the bug in the kernel have been released to the public. The bug is reported to affect the Linux 2.4.22 kernel and all earlier kernels.

The bug in the brk() system call was fixed in 2.4.23 and 2.6.0-test6. Users should upgrade to a repaired version of the kernel or should watch for packages from their vendors. Packages have been released by SuSE, Red Hat, Debian, Mandrake, Trustix, Astaro, Slackware, SGI, TurboLinux, Yellow Dog Linux, Conectiva, and Gentoo.

rsync

rsync, a faster and more flexible replacement for rcp that provides incremental file transfers, contains a buffer overflow that can be exploited by a remote attacker, under some conditions, to execute arbitrary code on the server with the permissions of the user running rsync. This buffer overflow can be exploited when rsync is being used in daemon mode as an rsync server. rsync versions 2.5.6 and earlier are reported to be vulnerable to this buffer overflow.

The developers of rsync strongly recommend that all users of rsync upgrade to version 2.5.7 as soon as possible and suggest that users configure rsync to use a change rooted environment by setting use chroot = yes in the file etc/rsyncd.conf. Updated packages have been released for Trustix Secure Linux 1.2, 1.5, and 2.0; Debian GNU/Linux; EnGarde Secure Linux; Slackware Linux 8.1, 9.0, 9.1, and -current; and Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes


cdwrite

cdwrite is a command-line, script front end to burning CDROMs with mkisofs, cdrecord, cdparanoia, cdda2wav, cdrdao, and lame. cdwrite is vulnerable to a temporary-file, symbolic-link-based attack that can be used to overwrite files on the system with the permissions of the user running cdwrite (often the root user).

Users of multi-user systems should avoid using cdwrite until it has been repaired.

CVS

CVS (Concurrent Versions System), a source-code version management package, has a bug that under some circumstances could cause CVS to attempt to create directories or files in the root of the filesystem on which its repository is located. Under most conditions, this bug is not thought to be exploitable.

Concerned users should upgrade to CVS version 1.11.10, which fixes the directory creation problem and other bugs.

Ebola

The anti-virus daemon interface Ebola provides a performance-enhancing connection between anti-virus engines, such as Sophos, and scanning scripts, such as Inflex or AMaViS. Ebola has been reported to be vulnerable to a remote attack that leads to arbitrary code being executed as root. This vulnerability is reported to affect Ebola version 0.1.4. A application to automate the exploitation of this vulnerability has been released to the public.

The author of Ebola recommends that users upgrade to version 0.1.5 of Ebola as soon as possible to repair this problem, as well as additional potential problems due to the use of sprintf() function calls in version 0.1.4. If it is not possible to upgrade immediately, users should consider disabling Ebola. Users should also consider protecting Ebola from unauthorized external connections using a tool such as a firewall. The author reports that he is no longer actively maintaining the Ebola source code.

net-snmp

The net-snmp packages earlier than version 5.0.9 have vulnerabilities that can be exploited by an attacker who is authorized to connect to a device to read MIB objects that were specifically excluded from their views. The net-snmp package provides tools and libraries for using SNMP (Simple Network Management Protocol) to monitor and configure SNMP-aware devices.

Users should upgrade to version 5.0.9 of net-snmp.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

lftp

lftp is a file transfer utility that uses FTP and HTTP to transfer files. It has job-control functions similar to bash, bookmarks, and a built-in mirroring facility, and can transfer files in parallel. lftp is reported to have unspecified bugs in the HTML-parsing code that can result in a security vulnerability when a user connects to an untrusted web server.

It is recommended that users upgrade to version 2.6.10 of lftp. Debian has released an upgraded package.

irssi

irssi, a text-based IRC client for Unix systems, is vulnerable, under some conditions, to a remotely exploitable denial-of-service attack. This vulnerability only affects irssi when it is running on non-x86 architectures and the gui print text signal is being used by a script or plug-in. The vulnerability can also be used to remotely change a message's "level," causing the message to be displayed differently.

Users should upgrade to irssi 0.8.9 or remove any script or plug-in that uses the gui print text signal.

4inarow

The 4inarow game is a networked four-in-a-row (Connect 4) clone for two players. It is vulnerable to an attack that can be exploited by a local attacker to execute arbitrary code with the permissions under which the game is running. On many systems, games are installed set group id games, and in some cases this can be leveraged into additional permissions.

It is recommended that any set user or group ids be removed from 4inarow and that users watch for a repaired version.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: