Linux syncookies Vulnerability and an scp/sftp bug11/05/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a vulnerability in Linux
syncookies; buffer overflows in Red Hat's
ucd-snmp packages, AIX's
dtprintinfo, and the Progress database; and problems in Lotus Domino, Webalizer, SSH Communication Security's SSH2, SCO's
libdb1, Cisco IOS, RPM tools, Network Query Tool, and IRIX.
- Linux syncookies Vulnerability
- Lotus Domino
- Red Hat ucd-snmp Packages
- AIX dtprintinfo
- scp and sftp
- SCO libdb1
- Cisco Discovery Protocol
- RPM Command Execution
- Network Query Tool
- IRIX Panic
syncookies are a 24-bit cookie used by
netfilter to protect hosts from SYN Flood attacks. Systems that have
syncookies enabled are vulnerable to this attack if an attacker guesses the cookie and can connect to an open, unprotected TCP socket.
syncookies can be disabled on a running system by executing the command:
echo 0 > /proc/sys/net/ipv4/tcp_syncookies. Affected systems should be upgraded to a patched version of the Linux kernel as soon as possible.
Lotus Domino, an email, work group, and application server, has a vulnerability that can be used by a remote attacker to access the Web Administrator template file (
webadmin.ntf). Once the attacker has accessed the Web Administrator template file, they can read any file on the system that the user executing the Domino server can read and can list all the databases on the system. The attacker accesses the Web Administrator template file by using the ReplicaID number and once the attacker has this number, he can access the file on other Domino systems in the domain.
A suggested workaround for this vulnerability is to remove the
webadmin.ntf file from the system. It has been reported that Lotus will repair this vulnerability in the 5.0.9 release of Lotus Domino.
Webalizer is a Web server report and analysis tool. Versions of Webalizer earlier than 2.01-09 are vulnerable to a cross-site scripting vulnerability that can be used by a malicious user to inject HTML tags into the generated reports.
Users of Webalizer should upgrade to version 2.01-09 or newer as soon as possible.
Red Hat has released new
ucd-snmp packages that fix multiple vulnerabilities including: a temporary file race condition, buffer overflows, format-string vulnerabilities, and a problem in the code that handles ASN. These vulnerabilities can be used by a remote attacker to gain root permissions.
Red Hat recommends that users upgrade to the latest package as soon as possible.
dtprintinfo command under AIX 4.3.3 has a buffer overflow that can be exploited to gain root access. The
dtprintinfo command is used to open the CDE Print Manager window, and is normally installed set user id root.
A suggested workaround for this problem is to remove the set user id bit. IBM has released an emergency fix for this problem and is reported to be working on an official fix.
sftp commands that are distributed with SSH Communication Security SSH2 version 3.0.x have a bug that will use all available CPU resources when transferring a file.
Affected System Administrators should be aware of this bug and consider restricting access to the
sftp commands and should watch SSH Communication Security for a patch.
Some versions of Caldera's OpenLinux have an unsafe configuration of the
libdb1 package. This may be exploitable by a remote attacker to gain access to the system and by a local attacker to gain root access. The versions of OpenLinux reported to be vulnerable are OpenLinux Server 3.1 and Open Linux Workstation 3.1.
Users should upgrade their
libdb1 package to db-2.7.7-12 or newer as soon as possible.
Cisco IOS is vulnerable to a denial-of-service attack in its handling of the Cisco Discovery Protocol. When an attacker floods the router or switch with Cisco Discovery Protocol neighbor announcements, the machine will utilize all of its available memory, leaving none available for any other operation, causing it to stop responding or to reboot. In order to exploit this denial-of-service attack, the Cisco Discovery Protocol packets must be generated on the same segment as the device being attacked.
Cisco suggests as a workaround that users disable Cisco Discovery Protocol on affected devices. Cisco has announced that this vulnerability has been fixed in versions 12.2(3.6)B, 12.2(4.1)S, 12.2(3.6)PB, 12.2(3.6)T, 12.1(10.1), 12.2(3.6), and later releases of Cisco IOS.
A bug in the RPM (Red Hat Package Management) tools can be exploited to execute arbitrary code when a carefully crafted RPM package is queried. This vulnerability is reported to affect the RPM 4.0.x packages.
Users should not query RPM packages from untrusted sources and should watch Red Hat for an update to repair this bug.
The Progress database has buffer overflows and format-string vulnerabilities that can be exploited to execute arbitrary code with the permissions of the user executing the database.
Users should contact Progress Software Corporation for an update that fixes these vulnerabilities.
Network Query Tool is a PHP script that allows users to perform network queries such as
traceroute. Version 1.0 of Network Query Tool does not properly check or filter metacharacters and can be exploited remotely to execute arbitrary commands on the server with the permissions of the user running the Web server.
Users should watch for an updated version of Network Query Tool and should consider disabling it until an updated version has been released.
There is a denial-of-service attack against IRIX systems that is exploited using a malformed IGMP packet. SGI has reported that versions 6.5.x through 6.5.12f are vulnerable. Versions of IRIX earlier than 6.5 are no longer being supported.
SGI recommends that users apply the appropriate patch as soon as possible.
Read more Security Alerts columns.
Return to the Linux DevCenter.