Linux DevCenter    
 Published on Linux DevCenter (
 See this if you're having trouble printing code examples

Security Alerts BIND DoS Attack

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a denial-of-service attack against BIND and problems in KDE, GnuPG, screen, Ethereal, FreeRadius, mod_gzip, Pan, detecttr, OpenCA, EPIC, and libnids.


Version 8 of the BIND Domain Name Server daemon is vulnerable to a remote denial-of-service attack that uses invalid authoritative responses and results in the name server giving its clients negative responses to queries until the TTL (Time to Live) has expired for the affected address. The attacker also has the ability to set a long TTL on the cached invalid negative response.

Users of BIND 8 should upgrade to version 4.9-STABLE as soon as possible.


KDM, the KDE Display Manager, has a vulnerability that, under some conditions, can grant root access to any user who can log into an account on the system. There is also a problem with the security of session cookies, where KDM's code does not use the full 128 bits of entropy and generates cookies that are vulnerable to a brute-force attack.

It is recommended that users upgrade to KDE 3.1.4 as soon as possible.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes


The GNU Privacy guard GnuPG is a free, RFC2440 (OpenPGP)-compliant replacement for the encryption tool PGP. GnuPG has a bug in the code that makes and uses ElGamal keys (type 20), which can result in the disclosure of a user's private key. As a result, any and all ElGamal (type 20) keys created with GnuPG 1.0.2 or later should be considered compromised. ElGamal encrypt-only keys (type 16) from any version of GnuPG are not affected by this bug.

Users are strongly urged to revoke any ElGamal type 20 keys immediately and watch their vendors for a version of GnuPG that will not create vulnerable keys.


screen, the GNU virtual terminal manager, is reported to be vulnerable to a buffer overflow that, under some conditions, may be exploitable by an attacker to execute arbitrary code with root permissions or to take over another user's screen session. Versions 4.0.1, 3.9.15, and older of screen are reported to be vulnerable.

Users should watch their vendors for an updated version of screen and should consider removing any set user or group id bits from it until it has been repaired.


The network sniffer Ethereal is vulnerable to several buffer overflows that can be exploited by a remote attacker sending carefully crafted packets, which are then processed by Ethereal either by reading the packet directly from the network, or by reading them from a packet trace file. The vulnerable code handles GTP MSISDN strings, ISAKMP packets, MEGACO packets, and SOCKS.

It is recommended that users upgrade to Ethereal version 0.9.16 or newer or disable the GTP, ISAKMP, MEGACO, and SOCKS protocol dissectors.


The FreeRadius open source RADIUS server has a bug that can be exploited by a remote attacker to crash FreeRadius, causing a denial of service, and that may, under some unlikely circumstances, be used to execute arbitrary code with the permissions of the user running the FreeRadius server. The bug is reported to affect version 0.9.2 of FreeRadius and all earlier versions. A simple script to cause FreeRadius to crash has been released to the public.

Users should upgrade to version 0.9.3 as soon as possible.


The Apache module mod_gzip is reported to contain a vulnerability that can be used by a remote attacker to execute arbitrary code with the permissions of the user running the web server. This vulnerability can only be exploited when mod_gzip is running in debug mode.

Affected users should not run mod_gzip in debug mode until it has been upgraded to a repaired version.


Pan, a Gnome and GTK news reader, is vulnerable to a remote denial-of-service attack. The vulnerability is in the code that handles the author's email address in an article header.

Users should watch their vendors for an updated package that fixes this problem. Red Hat has released updated packages for Red Hat Linux 7.1, 7.2, 7.3, 8, and 9.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble


detecttr is a utility that was distributed as source code in Phrack Magazine Volume 7, Issue 51 and is designed to detect traceroute activity. It is reported to contain a remotely exploitable, format-string bug.

Anyone using this utility should change the line to read syslog(LOG_NOTICE , "%s" , buf);.


OpenCA, the OpenSource Certification Authority Toolkit, contains a bug that, under some conditions, could result in a certificate being accepted that has expired or been revoked.

Users should upgrade to version or newer as soon as possible.


EPIC (Enhanced Programmable ircII Client) has a bug in the code that handles the nickname of a user doing a CTCP request that can be exploited by a remote attacker who controls an IRC server that the users connects to. The bug when exploited can result in arbitrary code being executed as the user running EPIC or can cause a denial-of-service condition by crashing EPIC.

Affected users of EPIC should watch their vendors for an updated version. Red Hat has released a repaired package for Red Hat Linux 7.3, 8, and 9.


libnids, a component of a network-intrusion detection system that emulates the IP stack of Linux, contains a flaw that may, under some conditions, be exploitable by a remote attacker to execute arbitrary code.

Users should watch for an repaired version of libnids.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.