|
[News:]GN SecNews Vol #7
|
Vijay Kumar
|
Apr 01, 2003 16:55 PST
|
GN SecNews Vol #7
-----------------
News Article Type: Weekly
Author: vijay (vijay-@users.sourceforge.net)
Date: Tue Apr 1 18:09:16 IST 2003
Please send in your comments and suggestions for improvement.
Disclaimer: This is a compilation of Security News Articles/Advisories from various GNU/Linux Providers, Developers and Users. The Author(s) of this article makes no warranties of any kind whatsoever with respect to the information contained from the sources. The information given here is as is from the source with the PGP signature if available.
===============================================================================
Contents
========
1.) SecurityFocus Linux Newsletter #125
2.) SNMP security issues in D-Link DSL Broadband Modem/Router
3.) [RHSA-2003:051-01] Updated kerberos packages fix various
vulnerabilities
4.) NetBSD Security Advisory 2003-007: (Another) Encryption weakness
in OpenSSL code
5.) NetBSD Security Advisory 2003-005: RSA timing attack in OpenSSL code
===============================================================================
1.) SecurityFocus Linux Newsletter #125
===============================================================================
SecurityFocus Linux Newsletter #125
-----------------------------------
This Issue is Sponsored by: CipherTrust
Is your network really protected? Not if your Mail Server isn't!
Email systems provide the easiest route for malicious attacks, to expose
sensitive information, to suck up bandwidth and to provide access to other
systems. Learn ěHow to Secure Email Systems by requesting this white
paper now.
http://www.ciphertrust.com/article/securityfocus_0331_02.htm
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Incident Response Tools For Unix, Part One: System Tools
2. Virus Hoaxes and the Real Dangers They Pose
3. Too Cool For Secure Code
4. Uncle Roger's Folly
5. SecurityFocus DPP Program
II. LINUX VULNERABILITY SUMMARY
1. eDonkey Clients Multiple Chat Dialog Resource Consumption...
2. Advanced Poll Remote Information Disclosure Vulnerability
3. PHPNuke News Module Article.PHP SQL Injection Vulnerability
4. PHPNuke News Module Index.PHP SQL Injection Vulnerability
5. PHP socket_recvfrom() Signed Integer Memory Corruption...
6. PHPNuke Viewpage.PHP File Disclosure Vulnerability
7. Monkey HTTP Daemon Excessive POST Data Denial Of Service...
8. Joel Palmius Mod_Survey Data Injection Vulnerability
9. PHPNuke Forum Module Viewtopic.php SQL Injection Vulnerability
10. PHPNuke Forum Module Viewforum.PHP SQL Injection Vulnerability
11. PHPNuke Banners.PHP Banner Manager Password Disclosure...
12. Monkey HTTP Daemon Missing Content-Type Field DOS
13. PHP socket_iovec_alloc() Integer Overflow Vulnerability
14. PHP socket_recv() Signed Integer Memory Corruption Vulnerability
15. PHP emalloc() Unspecified Integer Overflow Memory Corruption...
16. OSCommerce Error_Message Cross-Site Scripting Vulnerability
17. OSCommerce Info_Message Cross-Site Scripting Vulnerability
18. OSCommerce Checkout_Payment.PHP Error Output Cross-Site...
19. OSCommerce Account_History_Info.PHP HTML code injection...
20. OSCommerce Checkout_Confirmation.PHP Comment HTML Injection...
21. Check Point VPN-1/Firewall-1 Remote Syslog Data Resource...
III. LINUX FOCUS LIST SUMMARY
1. SecurityFocus Article Announcement (Thread)
2. Live Upgrade for Linux (Thread)
3. Seeing who has su-ed (Thread)
4. latest ptrace hole patch? (Thread)
5. How to custom sulog? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Covalent Fast Start Server
2. NetVigil
3. PowerBroker
V. NEW TOOLS FOR LINUX PLATFORMS
1. Alarm Pinger (apinger) v0.6.1
2. Log Watcher v0.2
3. network traffic volume capture to postgresql v1.1
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Incident Response Tools For Unix, Part One: System Tools
By Holt Sorenson
This article is the first in a three-part series on tools that are useful
during incident response and investigation after a compromise has occurred
on a OpenBSD, Linux, or Solaris system. This installment will focus on
system tools, the second part will discuss file-system tools, and the
concluding article will look at network tools.
http://www.securityfocus.com/infocus/1679
2. Virus Hoaxes and the Real Dangers They Pose
by Scott Granneman
Jerry Bryan immediately knew there was something wrong at his church. He
knew it the second he opened up the email from the pastor. As a highly
respected member of his church and a known technophile, Jerry was often
consulted by the pastor concerning technical matters. In this case,
however, the pastor was passing along a serious warning.
http://www.securityfocus.com/infocus/1678
3. Too Cool For Secure Code
By Jon Lasser
Until Unix and Linux programmers get over their macho love for low-level
programming languages, the security holes will continue to flow freely.
http://www.securityfocus.com/columnists/150
4. Uncle Roger's Folly
By George Smith
The Ganda virus shows why the Internet isn't the best source for reliable
war news, and malicious code isn't a good medium for anything.
http://www.securityfocus.com/columnists/151
5. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. eDonkey Clients Multiple Chat Dialog Resource Consumption Vulnerability
BugTraq ID: 7164
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7164
Summary:
eDonkey 2000 is a peer to peer file sharing network. It is similar to
KaZaa and Morpheus. Clients of eDonkey 2000 are built for Windows, Mac and
Linux operating systems.
A vulnerability has been reported for eDonkey clients for Windows that
will result in a denial of service condition.
The vulnerability occurs when numerous chat dialog boxes are opened by the
eDonkey or Overnet clients. Every open chat dialog box will consume a
small amount of memory and CPU cycles.
An attacker can exploit this vulnerability by connecting to a vulnerable
eDonkey user and issuing numerous chat requests. This will cause the
victim user's system to consume all available memory and CPU cycles thus
resulting in a denial of service condition.
This vulnerability was reported for eDonkey and Overnet clients prior to
0.46.
2. Advanced Poll Remote Information Disclosure Vulnerability
BugTraq ID: 7171
Remote: Yes
Date Published: Mar 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7171
Summary:
Advanced Poll is a freely available, open source PHP script. It is
available for the UNIX, Linux, and Microsoft Operating Systems.
A problem with the program could reveal sensitive information.
It has been reported that an information disclosure vulnerability exists
in Advanced Poll. Because of this, a remote user to potentially access
privileged information that could lead to further attack against the host
and it's users.
The problem is in the default installation. By installing the program
according to specifications, it is possible for a remote user to traverse
the installation directory, and potentially gain access to sensitive
information about the Advanced Poll implementation.
3. PHPNuke News Module Article.PHP SQL Injection Vulnerability
BugTraq ID: 7172
Remote: Yes
Date Published: Mar 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7172
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A problem with the software could allow a remote user to change user
credentials.
It has been reported that an input validation error exists in the
article.php file included with PHPNuke as part of the News module. Because
of this, an attacker could send a malicious string through PHPNuke that
would allow the attacker to manipulate the database, and gain unauthorized
access to user accounts.
This problem requires that the configuration variable magic_quotes_gpc be
turned off. Once this has been done, an attacker can inject limited SQL
statements into the database through the article.php file. Doing so
permits the attacker to submit information into the nuke_users table which
could be used to gain unauthorized access to the PHPNuke board.
An attacker could use this attack to modify a user's password or user
level.
4. PHPNuke News Module Index.PHP SQL Injection Vulnerability
BugTraq ID: 7173
Remote: Yes
Date Published: Mar 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7173
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A problem with the software could allow a remote user to change article
information.
It has been reported that an input validation error exists in the
index.php file included with PHPNuke as part of the News module. Because
of this, an attacker could send a malicious string through PHPNuke that
would allow the attacker to manipulate the database and alter information
on articles posted on the site.
This problem requires that the configuration variable magic_quotes_gpc be
turned off, although it may also be present with limited impact when the
variable is turned on. Once this has been done, an attacker can inject
limited SQL statements into the database through the index.php file. Doing
so permits the attacker to submit information into the nuke_stories table,
which could be used to alter the title, intro, article, and author
information.
5. PHP socket_recvfrom() Signed Integer Memory Corruption Vulnerability
BugTraq ID: 7198
Remote: No
Date Published: Mar 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7198
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the socket_recvfrom() and may allow an attacker to
corrupt memory.
The affected function fails to carry out sanity checks on values passed as
the 'len' argument. As a result, an attacker capable of passing a negative
integer as an argument, causing an integer used in a later calculation to
overflow.
If this integer overflows and is later used for memory allocation or data
writing, the procedure could occur at an unanticipated location. This
could be exploited to corrupt sensitive locations in process memory.
This may make it possible for an attacker to trigger a denial of service.
Although it has not been confirmed, it may also be possible to exploit
this issue to execute arbitrary code.
It should be noted that socket functionality is only included in PHP if
compiled with the "--enable-sockets" option.
6. PHPNuke Viewpage.PHP File Disclosure Vulnerability
BugTraq ID: 7191
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7191
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
PHPNuke has been reported prone to a file disclosure vulnerability.
It has been reported that PHPNuke may disclose arbitrary web server
readable files if the requested file is supplied as the 'file' URI
parameter to the 'viewpage.php' script.
This may allow an attacker to obtain sensitive system information which
may aid in launching future attacks.
It should be noted that this issue reportedly affects PHPNuke version 6.5
when running a specific configuration, however other versions may also be
affected.
7. Monkey HTTP Daemon Excessive POST Data Denial Of Service Vulnerability
BugTraq ID: 7202
Remote: Yes
Date Published: Mar 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7202
Summary:
Monkey is an open source web server written in C, based on the HTTP/1.1
protocol. It is available for Linux platforms.
Monkey HTTP Daemon is prone to denial of service attacks. This condition
occurs when the server attempts to handle excessive HTTP POST data. This
issue occurs because the server does not gracefully handle cases where
POST data exceeds the length of MAX_REQUEST_BODY, resulting in a server
crash.
The server will need to be restarted to regain normal functionality.
8. Joel Palmius Mod_Survey Data Injection Vulnerability
BugTraq ID: 7192
Remote: Yes
Date Published: Mar 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7192
Summary:
Mod_Survey is a mod_perl module for Apache which allows web users to
create online questionaires. It is maintained by Joel Palmius and will
run on Linux and Unix variants as well as Microsoft Windows.
Mod_Survey does not sufficiently sanitize data supplied via ENV tags.
ENV tags are a feature included with Mod_Survey to import values supplied
from environment variables into the data repository.
It has been reported by the vendor that this may allow for injection of
malicious data, including delimiter characters, into the data repository.
Exploitation may allow for manipulation of environment variables or the
possibility of executing database commands through injection of SQL
syntax. Other attacks may also be possible.
This is only an issue with surveys that use ENV tags. This issues occurs
with ENV tags which import data from environment variables that may be
potentially specified or influenced by a remote user (such as
'HTTP_USER_AGENT').
The consequences of exploitation could depend on the underlying database
implementation and configuration or other factors.
9. PHPNuke Forum Module Viewtopic.php SQL Injection Vulnerability
BugTraq ID: 7193
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7193
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A problem with PHPNuke could allow a remote user to change article
information.
It has been reported that an input validation error exists in the
'viewtopic.php' file included with PHPNuke as part of the Forum module.
Because of this, an attacker could send a malicious string through PHPNuke
that would allow the attacker to inject SQL commands and queries into the
SQL database used by PHPNuke.
Successful exploitation may allow for modification of the structure of SQL
queries, resulting in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.
10. PHPNuke Forum Module Viewforum.PHP SQL Injection Vulnerability
BugTraq ID: 7194
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7194
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A problem with PHPNuke could allow a remote user to change article
information.
It has been reported that an input validation error exists in the
'viewforum.php' file included with PHPNuke as part of the Forum module.
Because of this, an attacker could send a malicious string through PHPNuke
that would allow the attacker to inject SQL commands and queries into the
SQL database used by PHPNuke.
Successful exploitation may allow for modification of the structure of SQL
queries, resulting in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.
11. PHPNuke Banners.PHP Banner Manager Password Disclosure Vulnerability
BugTraq ID: 7170
Remote: Yes
Date Published: Mar 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7170
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A problem with the software could allow a remote user to gain access to
sensitive information.
It has been reported that an input validation error exists in the
banners.php file included with PHPNuke. Because of this, an attacker
could send a malicious string through PHPNuke that would allow the
attacker to manipulate the database, and potentially access sensitive
information, then download it via the web.
This problem requires that the configuration variable magic_quotes_gpc be
turned off. Once this has been done, an attacker can inject limited SQL
statements into the database through the banners.php file. Doing so
permits the attacker to gain access to credentials for the banner manager.
12. Monkey HTTP Daemon Missing Content-Type Field Denial Of Service Vulnerability
BugTraq ID: 7201
Remote: Yes
Date Published: Mar 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7201
Summary:
Monkey is an open source Web server written in C, based on the HTTP/1.1
protocol. It is available for Linux platforms.
Monkey HTTP Daemon is prone to a denial of service attacks. HTTP POST
requests which do not include a 'Content-Type' header field will trigger
this condition. This issue is due an a programming mistake in an error
handling statement which checks if the 'Content-Type' header field has
been specified by the client.
The server will need to be restarted to regain normal functionality.
13. PHP socket_iovec_alloc() Integer Overflow Vulnerability
BugTraq ID: 7187
Remote: No
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7187
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the socket_iovec_alloc() and may allow an attacker to
corrupt memory.
The affected function fails to carry out sanity checks on values passed as
the 'sockets' argument. As a result, an attacker capable of passing a
large integer as an argument, causing an integer used in a later
calculation to overflow.
If this integer overflows and is later used for memory allocation or data
writing, the procedure could occur at an unanticipated location. This
could be exploited to corrupt sensitive locations in process memory.
This may make it possible for an attacker to trigger a denial of service.
Although it has not been confirmed, it may also be possible to exploit
this issue to execute arbitrary code.
It should be noted that socket functionality is only included in PHP if
compiled with the "--enable-sockets" option.
14. PHP socket_recv() Signed Integer Memory Corruption Vulnerability
BugTraq ID: 7197
Remote: No
Date Published: Mar 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7197
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the socket_recv() and may allow an attacker to corrupt
memory.
The affected function fails to carry out sanity checks on values passed as
the 'len' argument. As a result, an attacker capable of passing a negative
integer as an argument, causing an integer used in a later calculation to
overflow.
If this integer overflows and is later used for memory allocation or data
writing, the procedure could occur at an unanticipated location. This
could be exploited to corrupt sensitive locations in process memory.
This may make it possible for an attacker to trigger a denial of service.
Although it has not been confirmed, it may also be possible to exploit
this issue to execute arbitrary code.
It should be noted that socket functionality is only included in PHP if
compiled with the "--enable-sockets" option.
15. PHP emalloc() Unspecified Integer Overflow Memory Corruption Vulnerability
BugTraq ID: 7199
Remote: No
Date Published: Mar 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7199
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the emalloc() function and may allow an attacker to
corrupt memory.
The affected function reportedly fails to ensure that proper boundary
checks are performed on values supplied by a malicious user. This may
result in an integer overflow when emalloc() attempts to allocate memory.
This may make it possible for an attacker to trigger a condition which
could cause the PHP interpreter to crash.
Further details of this vulnerability are currently unknown. This BID will
be updated as more information becomes available.
16. OSCommerce Error_Message Cross-Site Scripting Vulnerability
BugTraq ID: 7151
Remote: Yes
Date Published: Mar 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7151
Summary:
osCommerce is open-source e-commerce software written in PHP. osCommerce
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
It has been reported that osCommerce does not sufficiently filter HTML
code from URI parameters supplied to multiple osCommerce scripts that
include 'header.php'.
As a result of this deficiency, it is possible for a remote attacker to
create a malicious link containing script code that will be executed in
the browser of a legitimate user. Specifically the attacker can pass
malicious HTML code as the 'error_message' URI parameter for multiple
osCommerce pages. All code will be executed within the context of the
website running osCommerce.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported to affect osCommerce version 2.2ms1, prior
versions are reportedly affected.
17. OSCommerce Info_Message Cross-Site Scripting Vulnerability
BugTraq ID: 7153
Remote: Yes
Date Published: Mar 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7153
Summary:
osCommerce is open-source e-commerce software written in PHP. osCommerce
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
It has been reported that osCommerce does not sufficiently filter HTML
code from URI parameters supplied to multiple osCommerce scripts.
As a result of this deficiency, it is possible for a remote attacker to
create a malicious link containing script code that will be executed in
the browser of a legitimate user. Specifically the attacker can pass
malicious HTML code as the 'info_message' URI parameter for multiple
osCommerce pages. All code will be executed within the context of the
website running osCommerce.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported to affect osCommerce version 2.2ms1, prior
versions are reportedly affected.
18. OSCommerce Checkout_Payment.PHP Error Output Cross-Site Scripting Vulnerability
BugTraq ID: 7155
Remote: Yes
Date Published: Mar 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7155
Summary:
osCommerce is open-source e-commerce software written in PHP. osCommerce
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
Error output is not sufficiently sanitized of HTML and script code by
osCommerce. This issue is present in the 'checkout_payment.php' script.
This may allow for cross-site scripting attacks as remote users could
create a malicious link to a site hosting osCommerce which contains
hostile HTML and script code. When a such a link is visited,
attacker-supplied code could be interpreted in the web client of the user.
This will occur in the context of the site hosting the software.
To successfully exploit this issue, the attacker must include a valid
payment module in the malicious link. This information may be ascertained
through other means, such as submitting an order with a bad credit card
number.
Exploitation may allow theft of cookie-based authentications or other
attacks.
19. OSCommerce Account_History_Info.PHP HTML code injection Vulnerability
BugTraq ID: 7156
Remote: Yes
Date Published: Mar 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7156
Summary:
osCommerce is open-source e-commerce software written in PHP. osCommerce
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
It has been reported that osCommerce is prone to HTML injection attacks.
This problem occurs due to osCommerce insufficiently sanitizing
user-supplied input.
Specifically, embedded HTML and script code is not filtered from the
'comment' field of the 'account_history_info.php' osCommerce script.
As a result, attackers may embed malicious script code or HTML into
orders. When another user views a malicious order, the attacker-supplied
code will be interpreted in their web browser in the security context of
the site hosting the software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.
This vulnerability was reported to affect osCommerce version 2.2ms1, prior
versions are reportedly affected.
20. OSCommerce Checkout_Confirmation.PHP Comment HTML Injection Vulnerability
BugTraq ID: 7158
Remote: Yes
Date Published: Mar 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7158
Summary:
osCommerce is open-source e-commerce software written in PHP. osCommerce
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
Comment data is not sufficiently sanitized of HTML and script code. The
issue occurs in the 'checkout_confirmation.php' script. This may allow
remote attackers to inject hostile HTML and script code into the
e-commerce system, which could potentially be rendered by other users of
the software. This would occur in the context of the site hosting the
vulnerable software.
Successful exploitation may allow for theft of cookie-based authentication
credentials or other attacks.
21. Check Point VPN-1/Firewall-1 Remote Syslog Data Resource Consumption Vulnerability
BugTraq ID: 7159
Remote: Yes
Date Published: Mar 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7159
Summary:
Firewall-1 and VPN-1 are network security software packages distributed by
Check Point Software Technologies. It is available for Unix, Linux, and
Microsoft Operating Systems.
A problem in the software may make it possible for a remote user to launch
a resource consumption attack.
It has been reported that some versions of Firewall-1 and VPN-1 may
experience performance problems when allowing remote syslog traffic. An
attacker could exploit this issue to deny service to legitimate users of
the network serviced by the software.
Firewall-1 and VPN-1 do not permit remote syslog traffic by default. The
software must be configured to allow a specific remote host to send syslog
traffic to the server. Once this has been done, the host may abuse this
access by sending excessive amounts of syslog data to the syslog host.
This is done to consume the CPU resources of the system hosting the
software, creating a resource exhaustion attack, and potential denial of
service.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Article Announcement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/316564
2. Live Upgrade for Linux (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/316563
3. Seeing who has su-ed (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/316220
4. latest ptrace hole patch? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/316217
5. How to custom sulog? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/315843
IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Covalent Fast Start Server
by Covalent Technologies
Platforms: AIX, BSDI, DG-UX, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD,
Solaris, UNIX, Unixware
Relevant URL:
http://www.covalent.net/products/faststart/
Summary:
Covalent Fast Start Server automatically produces an Apache configuration
suitable for many enterprise applications. Because of Apache's
standards-based interoperability, Fast Start Server is able to serve as
the presentation layer for all major application servers, databases and
Web-based applications, reducing the complexity of Web infrastructures. It
includes a streamlined installer for rapid deployment.
2. NetVigil
by Fidelia
Platforms: Linux, Solaris, Windows NT
Relevant URL:
http://www.fidelia.com/products/index.phtml
Summary:
Fidelia NetVigil is a real-time integrated fault and performance
management tool that provides end-to-end business visibility of your
company's IT infrastructure. Fidelia NetVigil's unique architecture will
scale with your organization and allow you to view and correlate data
across your servers, applications and network devices. Fidelia NetVigil's
instant configuration capabilities and multi-level views combine to
expedite isolation and repair of IT problems, minimize downtime and reduce
the cost of labor and implementation. This translates into savings for
your bottom line.
3. PowerBroker
by Symark Software
Platforms: DG-UX, HP-UX, Linux, SunOS, UNIX
Relevant URL:
http://www.symark.com/powerbroker.htm
Summary:
Symark PowerBroker® provides UNIX security and accountability by enabling
system administrators to delegate administrative privileges and
authorization without disclosing the root password and to grant selective
access to UNIX-based corporate resources. Administrative tasks such as
system programs mounting, performing backups, adding new users can be
delegated to individuals or groups at a granular level, thus reducing the
risk of accidental damage and the threat of malicious activities. Symark
PowerBroker also grants user access to files, directories and third-party
applications and accounts (such as HR, financial or database programs),
including generic accounts. Symark PowerBroker protects the superuser or
root account (the most targeted user account), from hackers who could
remove critical system files, gain access to confidential data and delete
audit trails.
V. NEW TOOLS FOR LINUX PLATFORMS
---------------------------------
1. Added Mar 26, 2003
Alarm Pinger (apinger) v0.6.1
by Jacek Konieczny
Relevant URL:
http://www.bnet.pl/~jajcus/apinger/
Platforms: FreeBSD, Linux, POSIX
Summary:
Alarm Pinger (apinger) is a little tool which monitors various IP devices
by simple ICMP echo requests. Unlike most Perl or shell script tools, it
does not spawn processes or use much CPU time, and is ideal for when one
wants continuous monitoring and fast response upon target failure. It is
written in C and supports both IPv4 and IPv6.
2. Log Watcher v0.2
by Artur R. Czechowski
Relevant URL:
http://sourceforge.net/projects/lwatch/
Platforms: FreeBSD, Linux, POSIX
Summary:
lwatch is a log parser/analyzer written in C with the PCRE library. It is
small and efficient. You are able to define your own colors using regexp
patterns. The biggest advantage compared to other tools written in Perl is
its speed.
3. network traffic volume capture to postgresql v1.1
by Rob Fowler
Relevant URL:
http://gborg.postgresql.org/project/tcap/projdisplay.php
Platforms: Linux, POSIX
Summary:
This is a Unix daemon that captures traffic packet size, source,
destination, and times and saves this data into a postgres database in
near real time, from which traffic reports may be made. It does not save
the actual data or headers. Works on ethX or cooked devices like ppp0. It
uses Postgres embedded SQL to insert the data, pcap to capture traffic,
and pthreads to capure and write at the same time. It is written in C++
using STL. Pcap filters can be specified on the command line. Logs go to
syslog.
VI. SPONSORSHIP INFORMATION
---------------------------
This Issue is Sponsored by: CipherTrust
Is your network really protected? Not if your Mail Server isn't!
Email systems provide the easiest route for malicious attacks, to expose
sensitive information, to suck up bandwidth and to provide access to other
systems. Learn ěHow to Secure Email Systems by requesting this white
paper now.
http://www.ciphertrust.com/article/securityfocus_0331_02.htm
-------------------------------------------------------------------------------
===============================================================================
End of Doc #1
===============================================================================
===============================================================================
2.)SNMP security issues in D-Link DSL Broadband Modem/Router
===============================================================================
Arhont Ltd - Information Security Company
Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com)
Advisory: D-Link DSL Broadband Modem/Router
Router Model Name: D-Link DSL-500
Model Specific: Other models might be vulnerable as well
Manufacturer site: http://www.dlink.com
Manufacturer contact (UK): Tel: 0800 9175063 / 0845
0800288
Contact Date: 06/03/2003
DETAILS:
While performing a general security testing of a
network, we have found several security vulnerability
issues with the D-Link DSL Broadband Modem DSL-500
Issue 1:
The default router installation enables SNMP (Simple
Network Management Protocol) server with default
community names for read and read/write access. The
DSL-500 modem is configured alow SNMP access from the
WAN (Wide Area Network)/Internet side as well as from LAN.
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47
...
...
The community name: public
allows read access to the mentioned devices, allowing
enumeration and gathering of sensitive network
information.
The community name: private
allows read/write access to devices, thus allowing
change of the network settings of the broadband modem.
Impact: This vulnerability allows local and internet
malicious attackers to retrieve and change network
settings of the modem.
Risk Factor: Medium/High
Possible Solutions: Firewall UDP port 161 from LAN/WAN
sides, as it is not possible to disable SNMP service
from the web management interface.
Issue 2:
The ISP account information including login name and
password is stored on the modem without encryption, It
is therefore possible to retrieve this information with
simple SNMP gathering utility such as snmpwalk:
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
...
...
...
transmission.23.2.3.1.5.2.1 = STRING:
"username@dsl-provider"
...
...
transmission.23.2.3.1.6.2.1 = STRING: "password-string"
...
...
...
Impact: This vulnerability allows LAN and internet
malicious attackers to retrieve confidential information.
Risk Factor: Very High
Possible Solutions: As a temporary solution you should
firewall UDP port 161 from LAN/WAN sides, as it is not
possible to disable SNMP service from the web
management interface.
According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing them to the
public domains (such as CERT and BUGTRAQ), unless
specifically requested by the manufacturer.
If you would like to get more information about this
issue, please do not hesitate to contact Arhont team at
info-@arhont.com.
Kind Regards,
Andrei Mikhailovsky
Arhont Ltd
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0xFF67A4F4
===============================================================================
End of Doc #2
===============================================================================
===============================================================================
3.) [RHSA-2003:051-01] Updated kerberos packages fix various
vulnerabilities
===============================================================================
---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated kerberos packages fix various vulnerabilities
Advisory ID: RHSA-2003:051-01
Issue date: 2003-03-26
Updated on: 2003-03-26
Product: Red Hat Linux
Keywords: krb5
Cross references: RHSA-2003:052
Obsoletes: RHSA-2003:020
CVE Names: CAN-2003-0028 CAN-2003-0036 CAN-2003-0058 CAN-2003-0059 CAN-2003-0072 CAN-2003-0082 CAN-2003-0138 CAN-2003-0139
---------------------------------------------------------------------
1. Topic:
Updated Kerberos packages fix a number of vulnerabilities found in MIT
Kerberos.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
3. Problem description:
Kerberos is a network authentication system. The MIT Kerberos team
released an advisory describing a number of vulnerabilities that affect the
kerberos packages shipped by Red Hat. These vulnerabilities include:
An integer signedness error in the ASN.1 decoder before version 1.2.5
allows remote attackers to cause a denial of service (crash) via a large
unsigned data element length, which is later used as a negative value. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2002-0036 to this issue. Red Hat Linux 8.0 and later are not affected
by this issue.
The Key Distribution Center (KDC) before version 1.2.5 allows remote,
authenticated attackers to cause a denial of service (crash) on KDCs within
the same realm using a certain protocol request that causes a null
dereference (CAN-2003-0058). Red Hat Linux 8.0 and later are not affected
by this issue.
The Key Distribution Center (KDC) allows remote, authenticated attackers to
cause a denial of service (crash) on KDCs within the same realm using a
certain protocol request that causes an out-of-bounds read of an array
(CAN-2003-0072).
The Key Distribution Center (KDC) allows remote, authenticated attackers
to cause a denial of service (crash) on KDCs within the same realm using a
certain protocol request that causes the KDC to corrupt its heap
(CAN-2003-0082).
A vulnerability in Kerberos before version 1.2.3 allows users from one
realm to impersonate users in other realms that have the same inter-realm
keys (CAN-2003-0059). Red Hat Linux 7.3 and later are not affected by this
issue.
The MIT advisory for these issues also mentions format string
vulnerabilities in the logging routines (CAN-2003-0060). Previous versions
of the kerberos packages from Red Hat already contain fixes for this issue.
Vulnerabilities have been found in the support for triple-DES keys in the
implementation of the Kerberos IV authentication protocol which is included
in MIT Kerberos (CAN-2003-0139).
Vulnerabilities have been found in the Kerberos IV authentication protocol
which allow an attacker with knowledge of a cross-realm key, which is
shared with another realm, to impersonate any principal in that realm to
any service in that realm. This vulnerability can only be closed by
disabling cross-realm authentication in Kerberos IV (CAN-2003-0138).
Vulnerabilities have been found in the RPC library used by the kadmin
service in Kerberos 5. A faulty length check in the RPC library exposes
kadmind to an integer overflow which can be used to crash kadmind
(CAN-2003-0028).
All users of Kerberos are advised to upgrade to these errata packages,
which disable cross-realm authentication by default for Kerberos IV and
which contain backported patches that correct these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/krb5-1.1.1-40.src.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/krb5-configs-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-devel-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-libs-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-server-1.1.1-40.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-workstation-1.1.1-40.i386.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/krb5-1.2.2-24.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/krb5-devel-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-libs-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-server-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-workstation-1.2.2-24.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/krb5-1.2.2-24.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/krb5-devel-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-libs-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-server-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-workstation-1.2.2-24.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/krb5-1.2.2-24.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/krb5-devel-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/krb5-libs-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/krb5-server-1.2.2-24.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/krb5-workstation-1.2.2-24.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-devel-1.2.2-24.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-libs-1.2.2-24.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-server-1.2.2-24.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-workstation-1.2.2-24.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/krb5-1.2.4-11.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/krb5-devel-1.2.4-11.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/krb5-libs-1.2.4-11.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/krb5-server-1.2.4-11.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/krb5-workstation-1.2.4-11.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/krb5-1.2.5-15.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/krb5-devel-1.2.5-15.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/krb5-libs-1.2.5-15.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/krb5-server-1.2.5-15.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/krb5-workstation-1.2.5-15.i386.rpm
6. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
ab4510357651cc37fc8a838c94a62417 6.2/en/os/SRPMS/krb5-1.1.1-40.src.rpm
7a2cba73bdd878f29592f792a9dfe794 6.2/en/os/i386/krb5-configs-1.1.1-40.i386.rpm
51431cdcc3526f92c2fd9c8f53f76282 6.2/en/os/i386/krb5-devel-1.1.1-40.i386.rpm
c20e1e80232276ea908eac478d46ad80 6.2/en/os/i386/krb5-libs-1.1.1-40.i386.rpm
4937fba2e1e8aeba94b503f30f9768e3 6.2/en/os/i386/krb5-server-1.1.1-40.i386.rpm
7cc03b89723f626a0ff956c9a579757d 6.2/en/os/i386/krb5-workstation-1.1.1-40.i386.rpm
015332e33f81730516dd76a64f9da81f 7.0/en/os/SRPMS/krb5-1.2.2-24.src.rpm
234fa434540d9e0d9f15dd49248efc68 7.0/en/os/i386/krb5-devel-1.2.2-24.i386.rpm
b54a47e387a5a6ea7158dc5ac0111893 7.0/en/os/i386/krb5-libs-1.2.2-24.i386.rpm
4b366d5cfb1f6ee9f5580643e5ac3d67 7.0/en/os/i386/krb5-server-1.2.2-24.i386.rpm
2b0951733ae63682644b1b10cfad2135 7.0/en/os/i386/krb5-workstation-1.2.2-24.i386.rpm
015332e33f81730516dd76a64f9da81f 7.1/en/os/SRPMS/krb5-1.2.2-24.src.rpm
234fa434540d9e0d9f15dd49248efc68 7.1/en/os/i386/krb5-devel-1.2.2-24.i386.rpm
b54a47e387a5a6ea7158dc5ac0111893 7.1/en/os/i386/krb5-libs-1.2.2-24.i386.rpm
4b366d5cfb1f6ee9f5580643e5ac3d67 7.1/en/os/i386/krb5-server-1.2.2-24.i386.rpm
2b0951733ae63682644b1b10cfad2135 7.1/en/os/i386/krb5-workstation-1.2.2-24.i386.rpm
015332e33f81730516dd76a64f9da81f 7.2/en/os/SRPMS/krb5-1.2.2-24.src.rpm
234fa434540d9e0d9f15dd49248efc68 7.2/en/os/i386/krb5-devel-1.2.2-24.i386.rpm
b54a47e387a5a6ea7158dc5ac0111893 7.2/en/os/i386/krb5-libs-1.2.2-24.i386.rpm
4b366d5cfb1f6ee9f5580643e5ac3d67 7.2/en/os/i386/krb5-server-1.2.2-24.i386.rpm
2b0951733ae63682644b1b10cfad2135 7.2/en/os/i386/krb5-workstation-1.2.2-24.i386.rpm
dde89228aae54a6960568f0345cd0f4b 7.2/en/os/ia64/krb5-devel-1.2.2-24.ia64.rpm
b5bde7b8ec06f663263a269a0f67eb32 7.2/en/os/ia64/krb5-libs-1.2.2-24.ia64.rpm
241fbf250c32c1323da057e364916f7b 7.2/en/os/ia64/krb5-server-1.2.2-24.ia64.rpm
91670b5b3df3b2d10a1cbd4bc1f82514 7.2/en/os/ia64/krb5-workstation-1.2.2-24.ia64.rpm
88bff9c228e1c57bc5e9b938043ea36e 7.3/en/os/SRPMS/krb5-1.2.4-11.src.rpm
58dfab84469ba94f2f0730b6c73c0b63 7.3/en/os/i386/krb5-devel-1.2.4-11.i386.rpm
aecb7ec8b6854d3b4db2030629b3e757 7.3/en/os/i386/krb5-libs-1.2.4-11.i386.rpm
259f54ef7c8edcfb3668c81ba66c54e2 7.3/en/os/i386/krb5-server-1.2.4-11.i386.rpm
2f6f7bc14778d933e3c016b417eee575 7.3/en/os/i386/krb5-workstation-1.2.4-11.i386.rpm
7c578680da8bc516b76031b140e04235 8.0/en/os/SRPMS/krb5-1.2.5-15.src.rpm
9e0d547d33efc56c93932e92a8560aa0 8.0/en/os/i386/krb5-devel-1.2.5-15.i386.rpm
9e36f2192f29e5e4c162cf1af0ee4f79 8.0/en/os/i386/krb5-libs-1.2.5-15.i386.rpm
addeb716fb5ca29f0d403d586d4746b3 8.0/en/os/i386/krb5-server-1.2.5-15.i386.rpm
c3431c68451484ebe77645b552a49408 8.0/en/os/i386/krb5-workstation-1.2.5-15.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. References:
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0036
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0139
8. Contact:
The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
===============================================================================
End of Doc #3
===============================================================================
===============================================================================
4.) NetBSD Security Advisory 2003-007: (Another) Encryption weakness
in OpenSSL code
===============================================================================
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2003-007
=================================
Topic: (Another) Encryption weakness in OpenSSL code
Version: NetBSD-current: source prior to March 21, 2003
NetBSD-1.6.1: not affected
NetBSD-1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4*: not affected
pkgsrc: prior to openssl-0.9.6gnb2
Severity: Attacker can perform crypto operations using server's private
keys.
Fixed: NetBSD-current: March 21, 2003
NetBSD-1.6 branch: March 21, 2003
NetBSD-1.5 branch: March 21, 2003
pkgsrc: openssl-0.9.6gnb2
Abstract
========
Quote from bugtraq posting:
Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
have come up with an extension of the "Bleichenbacher attack" on RSA
with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their
attack requires the attacker to open millions of SSL/TLS connections
to the server under attack; the server's behaviour when faced with
specially made-up RSA ciphertexts can reveal information that in
effect allows the attacker to perform a single RSA private key
operation on a ciphertext of its choice using the server's RSA key.
Note that the server's RSA key is not compromised in this attack.
No services using SSL/TLS are enabled by default in NetBSD, however, by
enabling services built with these libraries, a system could become
vulnerable to the compromise.
NOTE: Two OpenSSL advisories have appeared within 2 days of each other.
while the patches affect libssl in this SA, and libcrypto in
2003-005, please be aware that there are two separate issues
with separate sets of patches.
Technical Details
=================
http://marc.theaimsgroup.com/?l=bugtraq&m=104811162730834&w=2
Solutions and Workarounds
=========================
The following instructions describe how to upgrade your libssl
binaries by updating your source tree and rebuilding and installing
a new version of libssl.
Be sure to restart running instances of programs that use the libssl
library after upgrading.
If you have any statically-linked binaries that linked against a
vulnerable libssl, you need to recompile them.
* NetBSD-current:
Systems running NetBSD-current dated from before 2003-02-21
should be upgraded to NetBSD-current dated 2003-02-21 or later.
The following file needs to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/openssl/ssl/s3_srvr.c
To update from CVS, re-build, and re-install libssl:
# cd src
# cvs update -d -P crypto/dist/openssl/ssl/s3_srvr.c
# cd lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6:
The binary distribution of NetBSD 1.6 is vulnerable.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2003-03-21 or later should be used.
The following file needs to be updated from the
netbsd-1-6 CVS branch:
crypto/dist/openssl/ssl/s3_srvr.c
To update from CVS, re-build, and re-install libssl:
# cd src
# cvs update -d -P -r netbsd-1-6 \
crypto/dist/openssl/ssl/s3_srvr.c
# cd lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
The binary distribution of NetBSD 1.5.3 is vulnerable.
Systems running NetBSD-1.5.x dated from before 2003-03-20
should be upgraded to NetBSD-1.5 branch dated 2003-03-21 or later.
The following file needs to be updated from the
netbsd-1-5 CVS branch:
crypto/dist/openssl/ssl/s3_srvr.c
To update from CVS, re-build, and re-install libssl:
# cd src
# cvs update -d -P -r netbsd-1-5 \
crypto/dist/openssl/ssl/s3_srvr.c
# cd lib/libssl
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
OpenSSL was not included in the base system in NetBSD-1.4.*
Follow the directions for pkgsrc if you have installed it from
pkgsrc.
* pkgsrc:
openssl (pkgsrc/security/openssl) prior to openssl-0.9.6gnb2 are
vulnerable. Upgrade to openssl-0.9.6gnb2 or later.
Packages which require openssl can be found by running 'pkg_info
openssl'. Depending on the method you choose to update pkgsrc
packages, a rebuild of the packages on that list may be
performed for you by the package system. If you update using the
experimental 'make replace' target, you will need to manually
update any packages which build static binaries with libssl.a.
If you have statically linked binaries in pkgsrc, they have to be
rebuilt. Statically linked binaries can be identified by the
following command (note: be sure to include the directory you install
pkgsrc binaries to, if you've changed LOCALBASE from the default of
/usr/pkg)
file /usr/pkg/{bin,sbin,libexec}/* | grep static
Thanks To
=========
Bugtraq and the OpenSSL team.
Revision History
================
2003-03-26 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-007.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2003-007.txt,v 1.5 2003/03/26 05:51:26 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPoHNzz5Ru2/4N2IFAQGumAQAjBgUoa9VLF3R6fm+Q0HASoY3A7+u1msY
EgCEz2Kzg+OSgyAED1rHOD1t3EB2LsYpstv9wypVZvHZsB6JHkX/ZjnDwUju55mn
r6tY+T4A4d0kGCREQtUkkEcZHy1Rozm7EqP+gOqxjBG7SeStIJK0FM3N/M4B50wi
BrruCMHtBA4=
=LB2T
-----END PGP SIGNATURE-----
===============================================================================
End of Doc #4
===============================================================================
===============================================================================
5.) NetBSD Security Advisory 2003-005: RSA timing attack in OpenSSL code
===============================================================================
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2003-005
=================================
Topic: RSA timing attack in OpenSSL code
Version: NetBSD-current: source prior to March 19, 2003
NetBSD-1.6: affected (NetBSD-1.6.1 will include the fix)
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4*: not affected
pkgsrc: prior to openssl-0.9.6gnb2
Severity: Cryptographic keys can be compromised remotely.
Fixed: NetBSD-current: March 19, 2003
NetBSD-1.6 branch: March 21, 2003 (1.6.1 will include the fix)
NetBSD-1.5 branch: March 21, 2003
pkgsrc: openssl-0.9.6gnb2
Abstract
========
A timing attack has been discovered, which can be used against OpenSSL.
The attack allows remote recovery of private keys, from a host with
low-latency access to the server - such as the local host, or a host on
the LAN.
Research shows that about a million queries are sufficient to extract a
1024-bit RSA key. Any program that uses OpenSSL's RSA logic could be
affected.
NOTE: Two OpenSSL advisories have appeared within 2 days of each other.
while the patches affect libcrypto in this SA, and libssl in
2003-007, please be aware that there are two separate issues
with separate sets of patches.
Technical Details
=================
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
Solutions and Workarounds
=========================
The following instructions describe how to upgrade your libcrypto
binaries by updating your source tree and rebuilding and installing
a new version of libcrypto.
Be sure to restart running instances of programs that use the libcrypto
library after upgrading.
If you have any statically-linked binaries that linked against a
vulnerable libcrypto, you need to recompile them.
* NetBSD-current:
Systems running NetBSD-current dated from before 2003-03-19
should be upgraded to NetBSD-current dated 2003-03-19 or later.
The following file needs to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/openssl/crypto/rsa
To update from CVS, re-build, and re-install libcrypto:
# cd src
# cvs update -d -P crypto/dist/openssl/crypto/rsa
# cd lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6:
The binary distribution of NetBSD 1.6 is vulnerable.
Systems running NetBSD-1-6 from sources dated before 2002-03-21
should be upgraded to NetBSD-1-6 branch sources dated 2003-03-21
or later.
The following files need to be updated from the
netbsd-1-6 CVS branch:
crypto/dist/openssl/crypto/rsa
To update from CVS, re-build, and re-install libcrypto:
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl/crypto/rsa
# cd lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
The binary distribution of NetBSD 1.5.3 is vulnerable.
Systems running NetBSD-1.5.x dated from before 2003-xx-xx
should be upgraded to NetBSD-1.5 branch dated 2003-xx-xx or later.
The following file needs to be updated from the
netbsd-1-5 CVS branch:
crypto/dist/openssl/crypto/rsa
To update from CVS, re-build, and re-install libcrypto:
# cd src
# cvs update -d -P -r netbsd-1-5 \
crypto/dist/openssl/ssl/s3_pkt.c
# cd lib/libcrypto
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
OpenSSL was not included in the base system in NetBSD-1.4.*
Follow the directions for pkgsrc if you have installed it from
pkgsrc.
* pkgsrc:
openssl (pkgsrc/security/openssl) prior to 0.9.6gnb2 are
vulnerable. Upgrade to openssl-0.9.6gnb2 or later; pkgsrc
currently contains openssl-0.9.6gnb1 at time of this writing.
Packages which require openssl can be found by running 'pkg_info
openssl'. Depending on the method you choose to update pkgsrc
packages, a rebuild of the packages on that list may be
performed for you by the package system. If you update using the
experimental 'make replace' target, you will need to manually
update any packages which build static binaries with libcrypto.a.
If you have statically linked binaries in pkgsrc, they have to be
rebuilt. Statically linked binaries can be identified by the
following command (note: be sure to include the directory you install
pkgsrc binaries to, if you've changed LOCALBASE from the default of
/usr/pkg)
file /usr/pkg/{bin,sbin,libexec}/* | grep static
Thanks To
=========
Bugtraq and the OpenSSL team.
Revision History
================
2003-03-26 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-005.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2003-005.txt,v 1.7 2003/03/26 06:14:37 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPoHNyD5Ru2/4N2IFAQG6WgP+JRQkdq9QfurZtV5syPwd6SeD6f3k60u0
wSKvPq8mk+dcgwetQ8RnHw+yf3bRNb1YZOT2o5zwyBw13YQ3B/R2iTGX8OKu/Iol
1+OEY4vUX2Ttq76W6RweZGBI8+1tkCuWprvP7i+LFdffKUX0Hv2CiJNnymcRxLLl
WHxB7V9b1Hw=
=sJ8t
-----END PGP SIGNATURE-----
===============================================================================
End of Doc #5
===============================================================================
===============================================================================
End of GNSecNews #7
===============================================================================
-vi
|
|
 |
|
