Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts OpenSSL Vulnerabilities

by Noel Davis
03/23/2004

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in OpenSSL, Apache, sysstat, Mozilla, , ModSecurity, Samba, Crafty, UUDeview, metamail, and Calife.

OpenSSl

OpenSSL is C library that provides various cryptographic algorithms such as RSA, SSL, DES, and RC4. OpenSSL contains bugs in the do_change_cipher_spec() function and in the SSL/TLS handshaking code, which can be used by a remote attacker in a denial-of-service attack. The bug in the do_change_cipher_spec() function is reported to affect OpenSSl versions 0.9.6c through 0.9.6l and 0.9.7a through 0.9.7c. The bug in the SSL/TLS handshaking code is reported to affect 0.9.7a, 0.9.7b, and 0.9.7c.

The OpenSSL core team recommends that affected users upgrade to either OpenSSL 0.9.7d and OpenSSL 0.9.6m as soon as possible. Updated OpenSSL packages or patches have been released for Trustix Secure Linux versions 1.5, 2.0, and 2.1; OpenPKG 1.3, 2.0, and CURRENT; Red Hat Linux 9; Debian GNU/Linux 3.0 alias woody; mandrake 9.0, 9.1, 9.2, Corporate Server 2.1, and Multi Network Firewall 8.2; FreeBSD 4.8, 4.9, 5.1, and 5.2; EnGarde Secure Community v1.0.1 and 2, EnGarde Secure Professional v1.1, v1.2, and v1.5; many Cisco networking products; and SuSE 8.0, 8.1, 8.2, 9.0, Database Server, eMail Server III, 3.1 Enterprise Server 7, 8, Firewall on CD/Admin host, Connectivity Server, and Office Server.

Apache HTTP Server 2.0.49

A new version of the Apache web server has been released. Bugs fixed in this release include: a race condition in the handling of short-lived connections under some versions of AIX, Solaris, and Tru64; under some conditions shell escape codes could be inserted into Apache's logs; and a denial-of-service attack vulnerability caused by a memory leak in mod_ssl.

The Apache HTTP Server Project recommends that users of earlier servers upgrade to version 2.0.49.

Learning Lab TigerLinux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.

sysstat

The script named isag distributed with the sysstat package is reported to be vulnerable to a temporary file symbolic link race-condition-based attack. This vulnerability can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user (often root) running the isag script. The sysstat package contains the Linux versions of the sar, mpstat, and iostat command-line utilities.

Users should watch their vendor for a repaired version of sysstat.

Mozilla

The Mozilla web browser and mail client come with a set of libraries called Network Security Services (NSS) that provide S/MIME protocol code and other services. NSS versions prior to 3.9 are reported to be vulnerable to a remote attack that uses a carefully constructed S/MIME message to trigger a crash or denial-of-service condition in Mozilla. In addition, problems have been found with Mozilla's handling of cookies and a cross-site scripting vulnerability was found that affects some versions of Mozilla.

Affected users should upgrade to Mozilla version 1.4.2 or newer as soon as possible.

ModSecurity

ModSecurity is an open source intrusion detection and prevention engine written as an Apache module and designed to protect web applications. The Apache 2.x version of ModSecurity is vulnerable to a buffer overflow under some circumstances that may result in arbitrary code being executed with the permissions of the user account the web server is running as. The buffer overflow can be exploited only if the "SecFilterScanPost" configuration parameter is enabled.

It is recommended that users upgrade to Mod_security 1.7.5 as soon as possible.

Samba

The Linux file and print manager Samba contains a flaw that can be exploited by a local attacker under some conditions to gain root permissions on the local machine. Under some conditions the attacker can use the smbmnt utility to mount a remote file system that contains set user id root files that the attacker can then execute with root permissions.

Affected users should watch their vendor for a repaired package.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Crafty

The game Crafty is reported to be vulnerable to a locally exploitable buffer overflow, where, if the game is installed with a set user id or group bit, it could be used to gain unauthorized permissions (normally the permissions of the game group). A script to automate the exploitation of this vulnerability has been released to the public.

Users should remove any set user id or group bits from Crafty until it has been patched and should also consider removing any set user id or group bits from any other game installed on the system.

UUDeview

The UUDeview utility is both an encoder and a decoder that can use MIME Base64, MIME BinHex, uuencoding, xxencoding, and yEnc. All versions of UUDeview through version 0.5.19 are vulnerable to buffer overflows and an insecure temporary file handling problem.

It is recommended that all users of UUDeview upgrade to version 0.5.20.

metamail

The metamail package contains the extcompose script, which has flaws that can be exploited by a local attacker through a temporary file symbolic link race-condition-based attack. This can result in arbitrary files being overwritten with the permissions of the user running the extcompose script. The extcompose.sigh script is also reported to be vulnerable.

Users should watch their vendor for a repaired package and should consider disabling the extcompose and extcompose.sigh scripts until they have been repaired.

Calife

Calife is a utility that allows an authorized user to become the root user without requiring the root password. If an attacker knows the password of any user on the system and there is at least one user listed in the calife.auth file the attack may be able to exploit a buffer overflow in calife to execute arbitrary code with root permissions.

Affected users should consider only giving people they trust the root password and not attempting to give semi-trusted people "a little root authority". Users who need to use calife should watch their vendor for a repaired version and should explore restricting execution of calife to a group id using filesystem permissions. Debian has released a patched version of calife. Anyone who is not using calife should ensure that any set user and group id bits have been removed from it.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the LinuxDevCenter.com.

Copyright © 2009 O'Reilly Media, Inc.