Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in OpenServer applications, Solaris'
dtaction, and SuSE's
lprold; and problems in
htdig, Lotus Domino, Mandrake and Caldera's
uucp, Zope, Cisco Secure PIX Firewall, PHP Nuke, OpenProjects
ircd, and Mandrake
The Web-based search engine
htdig has a vulnerability that can be used by a remote attacker to view files on the system with the permissions of the user executing the Web server. This vulnerability can also be used as part of a denial-of-service attack against the Web server.
htdig should upgrade to the latest packages.
Lotus Domino can, under some circumstances, give out information that includes the server's internal IP address. This information can be used by an attacker to plan and execute attacks against a Domino server that is on an internal network behind a firewall doing NAT (Network Address Translation).
It has been reported that adding the line
DominoNoBanner=1 to the
notes.ini file will solve this problem.
Mandrake Linux and Caldera have released updated
uucp packages that address a vulnerability that can be used to gain
uucp user and group permissions. It is possible, under some conditions, to leverage
uucp user permissions into root access. Mandrake Linux reports that versions 7.1, 7.2, 8.0, and Corporate Server 1.0.1 are affected. Caldera has released updated
uucp packages for OpenLinux 2.3, OpenLinux eServer 2.3.1, OpenLinux eDesktop 2.4, OpenLinux Server 3.1, and OpenLinux Workstation 3.1.
It is recommended that affected users upgrade their systems as soon as possible.
Versions 5.0.6 and earlier of OpenServer are vulnerable to buffer overflows in applications that use
sysadmsh. These buffer overflows can be exploited to gain root privileges. Affected applications include:
Caldera recommends that affected systems be upgraded as soon as possible.
A flaw has been discovered in Zope that can be used by a skilled attacker with Zope access to exceed the permissions they have been granted.
Users of Zope should apply
Hotfix_2001-09-28. RedHat has released updated packages that repair this flaw.
Sun has released a patch for
xlock under Solaris 8 that repairs a buffer overflow that can be used to execute arbitrary code with the permissions of the root user. The patch is reported to be number 108652-40.
Users of Solaris 8 should apply the patch or remove the set user id bit from
xlock. Users of Solaris 2.6 and 7 should remove the set user id bit from
xlock and continue to watch Sun for a patch.
The Cisco Secure PIX firewall has a feature called mailguard that limits the SMTP commands that can be used on a mail server protected by the firewall. A vulnerability in the mailguard feature can be used to bypass the SMTP command filtering. Versions 6.0(1), 5..2(5), and 5.2(4) of the Cisco Secure PIX firewall are vulnerable.
The firewall is also vulnerable to a denial-of-service attack against the AAA authentication feature. This denial-of-service attack is reported to affect versions 4.0 through 5.3(1) that are using AAA authentication.
A vulnerability in the Cisco PIX Firewall Manager software can be exploited to gain full access to the firewall, if the attacker has access to the management machine.
Cisco has released patches for the vulnerabilities in the Cisco Secure PIX firewall and all users should upgrade as soon as possible. The Firewall Manager has been replaced by the PIX device manager. Cisco recommends that users upgrade to the PIX device manager and has announced that patches will not be released for the Firewall Manager application.
There is a buffer overflow in the
dtaction command, distributed with Open Unix and Unixware, that can be exploited to gain additional privileges. All versions of Unixware 7.0 and version 8.0.0 of Open Unix have been reported to be affected.
Caldera has released updated
dtaction binaries and recommends that affected systems be upgraded.
PHP Nuke, an open source Web news and discussion system written in PHP, has vulnerabilities that can be exploited to execute arbitrary code with the permissions of the user executing the Web server, or to log in as another user without knowing their password.
Users of PHP Nuke should watch its Web site for an updated version.
The Line Printer Daemon shipped with the
lprold package of SuSE Linux has a buffer overflow that may be exploitable to gain root access, and a vulnerability that can be used by root users on any machine listed in
/etc/hosts.equiv to change the ownership of any file on the system. It is reported that SuSE Linux versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, and 7.2 are affected by this vulnerability.
SuSE recommends that affected users upgrade their systems to the latest
lprold package. No updated packages are available for SuSE Linux 6.1 and 6.2.
The Internet Relay Chat daemon
ircd from OpenProjects has a flaw that can be used to spoof any host name that exists on the Internet. Exploiting this flaw requires the attacker to have control of a name server.
It is recommended that affected users watch the OpenProjects Web site for an update.
Mandrake has reported that there is a vulnerability in the
devfs device file system as it is shipped with Mandrake Linux 8.1. No details on this vulnerability were released.
Mandrake recommends that users boot with the
devfs=nomount option until they fix the vulnerability.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.