Linux Kernel Bug07/30/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a bug in Linux kernels newer than 2.4.3; a buffer overflow in Solaris'
dtmail; vulnerabilities in CylantSecure, PHPLib,
tar, Firewall-1, Arkeia backup software, and IRIX's
netprint; and talk about the configuration of Cayman DSL routers.
Versions of the Linux kernel prior to 2.4.7-pre7 have a bug that under some circumstances can be used by an attacker to load arbitrary kernel modules. Linux Kernels from 2.4.3 have a empty default
umask and when one of these kernels boot, if there is not an existing
modules.dep file, the kernel will create one with world-writable permissions. Under these circumstances, any local user may add modules to
insmod will then load them into the kernel.
Users should verify that the
modules.dep file on their system exists and is not world-writable.
CylantSecure, a Linux kernel patch that is designed to kill applications that deviate from the norm, can be bypassed by an attacker by exploiting a race condition using a kernel module. An exploit for this problem has been released to the public.
Users should watch for an update to CylantSecure.
Alerts this week:
PHPLib version 7.2d has been released by the PHPLib Team. This release fixes a vulnerability in
prepend.php3 that can be used by an attacker to execute arbitrary PHP code, with the permissions of the user running the Web server.
The PHPLib Team recommends that users replace any earlier versions of PHPLib with the new version, and cautions users that some applications have been distributed that include a version of PHPLib which should be replaced.
Some versions of
top, a system-load and process-monitoring utility, have a vulnerability that can be exploited to gain additional privileges on systems that have
top installed with set user or group permissions.
It has been reported that this problem was fixed nine months ago under FreeBSD and may have been fixed under other operating systems. Users should check the permissions on
top and remove any set user id and set group id bits until they have updated
top to a recent version.
Apache versions 1.3.19 and earlier have been reported to be vulnerable to a bug that can allow a remote attacker to list any directory and view any file in the Web pages tree, regardless of any index files or password protections.
It is recommended that users upgrade to Apache version 1.3.19 or newer as soon as possible.
dtmail application is a graphical mail client that is included with the Solaris CDE packages.
dtmail has a buffer overflow in the code that handles environmental variables that can be exploited by an attacker to gain mail group permissions. It has been reported that the
dtmail distributed with Solaris 8 is not affected by this vulnerability.
Affected users should contact Sun for patches to repair this vulnerability, and should remove the set group id bit from
dtmail until it has been patched.
Versions of the
tar archive utility below 1.13.19 have no protection against files in unexpected locations being overwritten or created by an attacker using carefully-crafted filenames in a tar archive. Two examples of this type of attack are: file names that have ".." embedded in them, and filenames that use an absolute path.
Users should look carefully at the contents of archives from untrusted sources before unpacking them with the
tar command. In some situations it is not enough to list the contents of the tar file, as the ".." can be hidden by using embedded backspace characters. Users should upgrade to version 1.13.19 of
tar as soon as it is released.
Under some circumstances, an unauthenticated user can download a file containing a topology of the network behind the Firewall-1 firewall that includes IP addresses, netmasks, and descriptions. Only Firewall-1 systems that are using SecureRemote are vulnerable to this problem. It has been reported that Firewall-1 version 4.1SP1 will not respond to an unauthenticated request, by default.
Users who are using SecureRemote should turn off unauthenticated topology downloads and distribute them manually, or should implement a shared secret system so that users of SecureRemote can authenticate and download the topology file. It is recommended that users of SecureRemote search the Checkpoint knowledge base for "unauthenticated topology downloads."
Arkeia backup software, under some circumstances, writes its database files using world-readable permissions. This can allow a local user to gather information about the directory trees that Arkeia is backing up, regardless of the permissions on the directory tree itself.
Users of Arkeia backup software should modify the directory permissions of
/usr/knox/arkeia so that only authorized users have directory read and execute permissions. It is also recommended that users watch Arkeia for a patch for this problem.
netprint utility installed on all SGI IRIX systems has a vulnerability that can be used by a local attacker to gain root privileges. SGI has reported that IRIX 6.5.13 is not vulnerable.
SGI recommends that users apply a patch for this problem. Patches are available for IRIX 6.5.12m and 6.5.12f. Users of earlier versions of IRIX should remove the set user id and set group id bits from
It is reported that Cayman DSL routers are in use and have been installed using the default setup, which does not have administrative or user passwords, and has a Web server that can be used to access administrative commands.
Users of Cayman DSL routers or any similar device should check the configuration of the device to ensure that it is configured in as secure a manner as is possible.
Read more Security Alerts columns.
Return to the Linux DevCenter.