New Vulnerability in OpenSSH12/10/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a local root vulnerability in OpenSSH and problems in OpenBSD,
wmtv, Auto Nice Daemon, NetDynamics, Xitami Web server,
xtel, Lotus Domino, OpenServer's
sysi86, SuSE's Postfix installation, and
- Auto Nice Daemon
- Xitami Web Server
- Lotus Domino
- SuSE Postfix Installation
- setcontext and sysi86
A new vulnerability in OpenSSH can, under some circumstances, be exploited by a local attacker to execute arbitrary code with the permissions of the root user. Exploiting this vulnerability requires that the "UseLogin" option be enabled, which most systems do not configure in the default installation. The vulnerability affects OpenSSH versions earlier than 3.0.2.
Users should upgrade their OpenSSH packages to version 3.0.2 or newer as soon as possible. Systems configured with the "UseLogin" option enabled should disable this option until OpenSSH has been upgraded.
OpenBSD 2.9, 3.0, and possibly earlier versions are vulnerable to a local denial-of-service attack.
Users of OpenBSD should watch for a patch for this problem.
wmtv is a TV video player for the Windowmaker window manager. A feature of
wmtv allows a user to execute an application when the tv window is double-clicked.
wmtv is installed set user id root, and does not drop these privileges when executing an application. This results in all applications it starts being executed with root permissions.
Users should remove the set user id bit from
wmtv and upgrade it as soon as possible.
AND, the Auto Nice Daemon, has a format-string bug that can be used by a local attacker to execute commands as the superuser. AND is a daemon that watches the system and dynamically changes the nice level of user processes if they exceed a configured threshold.
Affected users should upgrade AND to version 1.0.5 or newer as soon as possible.
It has been reported that NetDynamics, a leading application server, has a bug that can be exploited by a remote attacker to hijack user sessions. The vulnerability is caused the user's session id remaining valid for approximately 15 seconds after they log out. The bug is reported to affect NetDynamics versions 4.x and 5.x under Sun Solaris 7 and 8, but may affect other versions.
It is recommended that users watch Sun for a patch for this problem. Users should also consider restricting access to the server using a firewall and configuring NetDynamics to not allow multiple logins from the same domain.
By default, the Xitami Web server stores its administrator passwords in a world-readable file in clear text. This can be used by a local attacker to gain control of the Web server and execute commands as root.
It is recommended that the Web server be reconfigured so that it executes as a normal user account and that the permissions of the
defaults.aut file be changed so that the file can only be read by the user executing the Web server.
libgtop_daemon, a daemon that monitors processes running on remote systems under GNOME, has a format-string vulnerability and a buffer overflow. Both vulnerabilities can be remotely exploited to execute arbitrary code with the permissions of the
nobody user account.
nobody user account, while often used as a low-security generic account, is also the default account that root is mapped to on NFS (Network File System)-mounted file systems, and access to this account on some systems may open up unexpected vulnerabilities.
Libgtop_daemon to version 1.0.13 will repair the format-string vulnerability, but users will need to watch for a newer version to repair the buffer overflow. The
Libgtop_daemon should be disabled or not executed until a version that fixes both versions has been installed.
xtel X emulator for minitel that is shipped with Debian GNU/Linux 2.2 is vulnerable to a symbolic-link race condition that can be exploited to overwrite arbitrary files on the system with the permissions of the user executing
Users should upgrade
xtel to version 3.2.1-4.potato.1.
Lotus Domino versions 5.08 and earlier, running HTTP service with SSL enabled, are vulnerable to a denial-of-service attack that will crash the Domino server. The denial-of-service attack only requires sending null packets to a specific TCP/IP port.
It has been reported that Lotus Domino version 5.09, available as an incremental upgrade, will repair this problem. Users should contact Lotus for confirmation of this, and should consider restricting access to their Domino servers using a firewall.
Under some versions of SuSE Linux, there are vulnerabilities in the installation of Postfix that weakens its security and may cause Postfix to not remove unnecessary files, filling the disks it uses. It was reported that SuSE Postfix packages before December 2001 are vulnerable.
Affected users should watch SuSE for updated Postfix packages that fix this problem.
Caldera has released patches for OpenServer 5.0.6 and earlier that repair vulnerabilities that could be used by a regular user to change segment descriptors and other CPU registers. These changes will prevent some applications, such as the
i286emul, from functioning. The system administrator may disable this patch to allow applications to run by editing
/etc/conf/pack.d/kernel/space.c and changing the value of
allow_dscr_remap to 1.
Under Debian GNU/Linux 2.2, the
fml mailing-list manager contains a cross-site scripting vulnerability that can be used by an attacker to inject malicious code into index pages for list archives.
Debian recommends that user upgrade the
fml package to version 3.0+beta.20000106-5.
Read more Security Alerts columns.
Return to the Linux DevCenter.