Is Your Router Insecure?03/06/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at: a problem in Cisco IOS that can be used to predict TCP sequence numbers; problems in PHP-Nuke, Chili!Soft ASP, Nortel Networks Connectivity Extranet Switches, Joe, Veritas Cluster Server, and fcron; and a buffer overflow in mailx.
Cisco IOS has an error that can allow the prediction of TCP initial sequence numbers. This error can under some circumstances be exploited to gain control of a router or switch running Cisco IOS. The error may also be exploited to intercept or modify network traffic to or from a device running Cisco IOS. This error affects all Cisco switches and routers that run any released version of Cisco IOS. The error can only affect traffic that starts or ends on the device and does not affect forwarded traffic. Cisco products that do not run IOS and are not affected by this problem include the Cisco PIX firewall, the Cisco 600 family of routers, and others.
Cisco has made available free software upgrades for all affected customers, and they recommend that customers upgrade as soon as possible.
PHP-Nuke is a web-based news and discussion system similar to the software that powers sites such as RootPrompt.org or Slashdot. A new vulnerability has been announced that an attacker can exploit to gain administrative privileges in the PHP-Nuke software and to execute arbitrary commands with the permissions of the user running the web server (usually the user nobody). The vulnerability affects versions through 4.0.4p11. An attacker exploits this vulnerability by feeding the software a variable containing a NULL, causing magic quotes to stop functioning properly.
Alerts for this week:
Version 4.4.2 of
mainfile.php, available from the PHP-Nuke web site, has been patched to fix this problem. It is recommended that users replace their
mainfile.php as soon as possible.
In addition, more security problems with PHP-Nuke have been announced. The PHP-Nuke application is being rapidly developed, and every week more problems are being identified and worked on. Users should continue to watch PHP-Nuke's web site for updates and patches.
Chili!Soft ASP software permits Unix web servers to run ASP (Active Server Pages). Several problems have been identified in its default installation. In the default install, the software has flawed example scripts that can be exploited to read files on the server (including administrative files containing passwords), every server installs the same default user name and password, several files are installed so that they can be written to by any Unix account on the system, and other files that contain sensitive data such as passwords are installed world readable.
Users of Chili!Soft ASP should watch the Chili!Soft web site for an update. Until then, Chili!Soft recommends that users change the default password, disable access to the
/caspsamp virtual directory, and modify some file permissions. Please see the Chili!Soft web site's support page for more information.
The Nortel Networks Connectivity Extranet Switch (CES) is a VPN (Virtual Private Network) concentrator used to connect trusted networks together across an untrusted network such as the Internet. Under some circumstances, CES will use single DES (Digital Encryption Standard) to encrypt its traffic. This introduces a potential weakness, as single-DES-encrypted information has been cracked in as little as 22 hours and 15 minutes. It has also been reported that, due to the current encryption standards, this type of problem may affect many other VPN devices.
VPN users should check to make sure that their traffic is being encrypted using 3DES, Blowfish, or some other difficult-to-crack encryption method.
Nortel Networks states that in many cases their devices will not use single DES unless configured to do so by the administrator. Nortel Networks recommends that users who are concerned about the security of their CES device should upgrade their software to version 3.6 and Extranet client 2.62.
Joe's Own Editor is a small editor shipped with many Linux distributions that can emulate other editors such as WordStar, pico, and emacs. Joe looks for and opens its configuration file
.joerc unsafely. It searches for
.joerc in the current directory, the user's home directory, and then in
/usr/local/lib. An attacker can modify
.joerc so that Joe will execute arbitrary commands when it parses it. The attacker then can copy the modified
.joerc file into a world-writable directory and wait for a user to execute Joe while in that directory. It has been reported that the version of Joe in the FreeBSD ports tree is also vulnerable, but that it was fixed in OpenBSD prior to December of 1998.
Users should avoid executing Joe in world-writable directories until they have updated Joe to a fixed version.
A system command scheduler designed to replace vixie cron,
fcron has a vulnerability that can be exploited to read protected files. A feature of fcron allows root to change other users' crontab files. A bug in this feature can be exploited to read arbitrary files.
The authors of
fcron have recommended that all users upgrade to version 1.0.1 or newer.
imapd is used to access mail across the network. It has been reported that the version of imapd shipped with Slackware can be exploited by remote users. No details were available in the report.
imapd on Slackware machines should watch for an updated version.
mailx program shipped with OpenLinux 2.3 and earlier has a buffer overflow that can allow local users to delete, read, and modify other users' mail.
It is recommended that users upgrade to a version newer than 8.1.1-12.
lltstat command that is part of Veritas Cluster Server version 1.3.0 has an undocumented
-L option that under Solaris will panic the system. The
-L option was intended to be used for a new feature and was accidently left enabled in the software.
Users of the Veritas Cluster Server should contact Veritas for a patch or update.
Read more Security Alerts columns.
Discuss this article in the O'Reilly Network Linux Forum.
Return to the Linux DevCenter.