Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Denial-of-Service Vulnerabilities

by Noel Davis
10/22/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at problems in xinetd, syslog-ng, heartbeat, dvips, net-snmp, OpenOffice, kpf, gnome-gv, ggv, Mozilla, Cisco CatOS embedded HTTP server, PAM, and Sun's lockd.

xinetd

xinetd, a version of the Internet services daemon inetd designed to be more secure, is vulnerable to a denial of service attack. Versions of xinetd from 2.3.4 to 2.3.7 are reported to be vulnerable.

Users should upgrade to xinetd version 2.3.9 or newer as soon as possible. Red Hat has released updated xinetd packages that will repair this problem.

syslog-ng

syslog-ng is a system log daemon replacement designed to add additional features and capabilities. A buffer overflow in the code that handles syslog-ng's macro expansion can be exploited in a denial of service attack and may, under some circumstances, be used to execute arbitrary code with root permissions.

Users should watch their vendor for a repaired version or upgrade syslog-ng to 1.5.21 for the devel version or 1.4.16 for the stable version. Debian has released updated packages that fix this buffer overflow.

Related Reading

Unix Power Tools
By Shelley Powers, Jerry Peek, Tim O'Reilly, Mike Loukides

Heartbeat

The Heartbeat package for Linux provides a service that can be used to implement system fail over. Heartbeat is vulnerable to several format string bugs that can be exploited by a remote attacker and may lead to a root compromise under some conditions.

It is recommended that users upgrade to a repaired version of heartbeat, that heartbeat be executed as a normal non-privileged user, and that if heartbeat is configured to listen to a UDP port, that the port be protected using a firewall. SuSE has released packages that repair the format string bugs in heartbeat, configures it to run as the user nobody, and repairs a boot time problem.

dvips

dvips converts DVI format files into PostScript compatible files and can be used as a print filter to allow the printing of DVI files. dvips insecurely uses the system() function call and, when used as a print filter, may be exploitable to execute arbitrary code with the permissions of the user account that the print system is running as.

Affected users should upgrade dvips to a fixed version or remove it from their system. Red Hat has released updated packages that repair this problem.

net-snmp

The SNMP daemon that is a part of the net-snmp package is vulnerable to a denial of service attack that uses a carefully created packet. Before an attacker can exploit this denial of service attack they must know at least one SNMP community string for example the "public" read-only community string that in many installations has not been changed.

Users should update their net-snmp package with a repaired version.

OpenOffice

OpenOffice is vulnerable to a symbolic link race condition during installation that can be used to overwrite arbitrary files on the system with the permissions of the user performing the installation.

It is recommended that multi-user machines be brought to single-user mode prior to installing OpenOffice.

kpf

kpf is a small Web server designed to allow a user to easily share a directory that can be docked in the KDE bar. kpf has a vulnerability that allows a remote attacker to easily view any directory or file on the system readable by the user running kpf. Versions of kpf released with KDE 3.0.1 through KDE 3.0.3a are reported to be vulnerable.

Users should upgrade to kdenetwork-3.0.4 or should not run kpf until their vendor has released updated packages.

gnome-gv and ggv

The gnome-gv and ggv PDF and PostScript viewers are vulnerable to the same buffer overflow that is present in gv. An attacker can create a PDF or PostScript file that when read by gnome-gv or ggv can cause arbitrary code to be executed with the permissions of the user running the process.

Users should upgrade gnome-gv and ggv to repaired versions as soon as possible and should consider disabling them until they have been updated.

Red Hat Mozilla Packages

Red Hat has released new Mozilla packages that repair several vulnerabilities in versions prior to 1.0.1. These vulnerabilities could be used by an attacker to read arbitrary data on the local machine or under some conditions execute code as the user running Mozilla.

Affected users should upgrade their Mozilla packages as soon as possible.

Cisco CatOS Embedded HTTP Server

A buffer overflow has been reported in the Cisco CatOS embedded HTTP server that can affect some Cisco Catalyst switches. This buffer overflow can be used by a remote attacker in a denial of service attack. Versions of CatOS from 5.4 through 7.3 that contain a "cv" in their image name are reported to be affected.

Cisco recommends that affected users upgrade their switch to a repaired version of CatOS. Affected users should contact Cisco for details.

PAM

It has been reported that PAM version 0.76 is vulnerable to a serious security related bug that causes PAM to treat user passwords locked by placing "*" in the password field as empty passwords and permitting access to those accounts without requiring a password if the user has a shell other than /bin/false. The current unstable Debian release (sid) is affected by this bug.

Affected users should upgrade to a repaired version of PAM and verify the integrity of their system and their locked accounts.

Sun lockd DOS

The lockd file locking daemon distributed with Solaris is vulnerable to a denial of service attack that can result in NFS requests that require locking to hang or fail. If this denial of service attack is going on, a lockd daemon started in debug mode (-d 1) will result in a log message similar to the following in /var/adm/messages:

"Oct  8 13:39:41 flower unix: svc_tli_kcreate returned 134"

Sun has released patches for Solaris 2.6, 7, 8, and 9 for Sparc based machines and Solaris X86 2.6, 7, and 8 for Intel based machines.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.