oreilly.comSafari Books Online.Conferences.


Security Alerts

Linux syncookies Vulnerability and an scp/sftp bug


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a vulnerability in Linux syncookies; buffer overflows in Red Hat's ucd-snmp packages, AIX's dtprintinfo, and the Progress database; and problems in Lotus Domino, Webalizer, SSH Communication Security's SSH2, SCO's libdb1, Cisco IOS, RPM tools, Network Query Tool, and IRIX.

Linux syncookies Vulnerability

syncookies are a 24-bit cookie used by netfilter to protect hosts from SYN Flood attacks. Systems that have syncookies enabled are vulnerable to this attack if an attacker guesses the cookie and can connect to an open, unprotected TCP socket.

syncookies can be disabled on a running system by executing the command: echo 0 > /proc/sys/net/ipv4/tcp_syncookies. Affected systems should be upgraded to a patched version of the Linux kernel as soon as possible.

Lotus Domino

Lotus Domino, an email, work group, and application server, has a vulnerability that can be used by a remote attacker to access the Web Administrator template file (webadmin.ntf). Once the attacker has accessed the Web Administrator template file, they can read any file on the system that the user executing the Domino server can read and can list all the databases on the system. The attacker accesses the Web Administrator template file by using the ReplicaID number and once the attacker has this number, he can access the file on other Domino systems in the domain.

A suggested workaround for this vulnerability is to remove the webadmin.ntf file from the system. It has been reported that Lotus will repair this vulnerability in the 5.0.9 release of Lotus Domino.


Webalizer is a Web server report and analysis tool. Versions of Webalizer earlier than 2.01-09 are vulnerable to a cross-site scripting vulnerability that can be used by a malicious user to inject HTML tags into the generated reports.

Users of Webalizer should upgrade to version 2.01-09 or newer as soon as possible.

Red Hat ucd-snmp Packages

Red Hat has released new ucd-snmp packages that fix multiple vulnerabilities including: a temporary file race condition, buffer overflows, format-string vulnerabilities, and a problem in the code that handles ASN. These vulnerabilities can be used by a remote attacker to gain root permissions.

Red Hat recommends that users upgrade to the latest package as soon as possible.

AIX dtprintinfo

The dtprintinfo command under AIX 4.3.3 has a buffer overflow that can be exploited to gain root access. The dtprintinfo command is used to open the CDE Print Manager window, and is normally installed set user id root.

A suggested workaround for this problem is to remove the set user id bit. IBM has released an emergency fix for this problem and is reported to be working on an official fix.

scp and sftp

The scp and sftp commands that are distributed with SSH Communication Security SSH2 version 3.0.x have a bug that will use all available CPU resources when transferring a file.

Affected System Administrators should be aware of this bug and consider restricting access to the scp and sftp commands and should watch SSH Communication Security for a patch.

SCO libdb1

Some versions of Caldera's OpenLinux have an unsafe configuration of the libdb1 package. This may be exploitable by a remote attacker to gain access to the system and by a local attacker to gain root access. The versions of OpenLinux reported to be vulnerable are OpenLinux Server 3.1 and Open Linux Workstation 3.1.

Users should upgrade their libdb1 package to db-2.7.7-12 or newer as soon as possible.

Cisco Discovery Protocol

Cisco IOS is vulnerable to a denial-of-service attack in its handling of the Cisco Discovery Protocol. When an attacker floods the router or switch with Cisco Discovery Protocol neighbor announcements, the machine will utilize all of its available memory, leaving none available for any other operation, causing it to stop responding or to reboot. In order to exploit this denial-of-service attack, the Cisco Discovery Protocol packets must be generated on the same segment as the device being attacked.

Cisco suggests as a workaround that users disable Cisco Discovery Protocol on affected devices. Cisco has announced that this vulnerability has been fixed in versions 12.2(3.6)B, 12.2(4.1)S, 12.2(3.6)PB, 12.2(3.6)T, 12.1(10.1), 12.2(3.6), and later releases of Cisco IOS.

RPM Command Execution

A bug in the RPM (Red Hat Package Management) tools can be exploited to execute arbitrary code when a carefully crafted RPM package is queried. This vulnerability is reported to affect the RPM 4.0.x packages.

Users should not query RPM packages from untrusted sources and should watch Red Hat for an update to repair this bug.


The Progress database has buffer overflows and format-string vulnerabilities that can be exploited to execute arbitrary code with the permissions of the user executing the database.

Users should contact Progress Software Corporation for an update that fixes these vulnerabilities.

Network Query Tool

Network Query Tool is a PHP script that allows users to perform network queries such as whois, ping, and traceroute. Version 1.0 of Network Query Tool does not properly check or filter metacharacters and can be exploited remotely to execute arbitrary commands on the server with the permissions of the user running the Web server.

Users should watch for an updated version of Network Query Tool and should consider disabling it until an updated version has been released.

IRIX Panic

There is a denial-of-service attack against IRIX systems that is exploited using a malformed IGMP packet. SGI has reported that versions 6.5.x through 6.5.12f are vulnerable. Versions of IRIX earlier than 6.5 are no longer being supported.

SGI recommends that users apply the appropriate patch as soon as possible.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: