Multi-Homed Server Vulnerabilities03/13/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in
ircd, ePerl, MIT Kerberos 4 and 5,
slrn; temporary file problems in MIT Kerberos 4 and 5, the GNU C Library, and the Athena widget libraries; other problems with proftpd under Debian, Midnight Commander, Cisco Aironet 340 Bridges, and man2html; and a discussion of loopback devices and multi-homed routing.
tkserv program distributed with the Internet Relay Chat daemon (
ircd) package has several problems: a remotely exploitable buffer overflow, a memory leak, and a format string bug. The buffer overflow can not be exploited without one or more "non-OPERed" lines in the
tkserv.access file. These problems affect
tkserv version 1.3.0 and earlier.
IRCnet has announced that the next release of
ircd will fix these problems.
proftpd program shipped with Debian 2.2 (Potato) will run as root even if the user selects otherwise. Also, when
proftpd is restarted on systems where
/var is a symbolic link, it will remove the symbolic link and create a file named
Alerts for this week:
These problems have been fixed in
proftpd-1.2.0pre10-2.0potato1, and it is recommended that users upgrade as soon as possible.
Several buffer overflows have been found in ePerl. On systems where ePerl has been installed suid root these buffer overflows can lead to a remote root compromise.
It is recommended that users upgrade ePerl immediately.
Midnight Commander is a console-based user interface and file manager. A vulnerability has been found that can be used by an attacker to execute arbitrary programs with the permissions of the user running Midnight Commander.
Users of Midnight Commander should upgrade as soon as possible.
In February, we reported three vulnerabilities in the FreeBSD version of Kerberos 4: a temporary-file race condition in the ticket handling code, improper handling of two environmental variables, and a buffer overflow in the
libkrb authentication library. These vulnerabilities can all be exploited through
telnetd to gain root access.
MIT has now found the same problems in MIT Kerberos 4 and 5, and in some versions derived from MIT Kerberos. Versions now known to be affected include: MIT Kerberos 5, MIT Kerberos 4, Kerbnet, Cygnus Network Security, and some releases of
Users of MIT Kerberos 5 should upgrade to version
krb5-1.2.2. Users of other MIT-derived Kerberos packages should contact their vendor for an update.
A program used to manage CDs under X,
ascdc, has multiple buffer overflows that can be exploited to gain root privileges if the application has been installed suid root. Ascdc is not automatically installed suid under most circumstances, but some of the features require it to be suid root.
No patch for this problem has been released. Users on multi-user systems should remove the suid bit from the program.
Two security problems have been found in the GNU C Library,
glibc. First, an attacker can use
LD_PRELOAD to load any library listed in
/etc/ld.so.cache prior to executing a suid application, allowing the attacker to overwrite or create files without permission. Second, an attacker could use
LD_PROFILE to cause suid programs to write data to a temporary file. This temporary file is written to insecurely and can be used by the attacker to overwrite arbitrary files on the system.
It is recommended that users upgrade their GNU C Library to version 2.1.3-17.
slrn is a console-based Usenet news reader for Unix systems. There is a potential buffer overflow in the wrapping and unwrapping functions that may be exploitable by a long header in a news message.
This problem has been fixed under Debian in version
The web interface of the Cisco Aironet 340 series wireless bridge can be accessed and used to modify the bridge's configuration -- even when it has been disabled. This problem affects the following Cisco bridges: Aironet AP4500, Aironet AP4800, Aironet BR100, Aironet BR500, and Cisco Aironet AIR-BR340.
Cisco recommends that users upgrade to firmware version 8.55.
man2html is a program to convert system man pages to HTML documents. Versions prior to 1.5-22 can be manipulated to consume all the available memory on a server in a denial-of-service attack.
Users should upgrade to version 1.5-22 or 1.5-23.
The AsciiSrc and MultiSrc widgets in the Athena Widget set use temporary files insecurely. This vulnerability can be used by an attacker to overwrite arbitrary files on the system with the permissions of root. The Athena Widget set includes
Users running X on multiuser systems should upgrade to a current version as soon as possible.
Some operating systems when configured with two or more network interfaces (multi-homed) will deliver packets received from a network interface to the loopback interface. This is a not a bug in the TCP/IP stack of these operating systems. It is an unexpected result of following the applicable Internet standards. Systems that this affects include FreeBSD, NetBSD, and OpenBSD. It is not clear which Linux configurations, if any, are vulnerable.
Another example of this type of unexpected behavior is some TCP/IP stacks will allow a connection to be made to a broadcast address configured on an interface. Operating systems that exhibit this behavior include OpenBSD and some versions of FreeBSD.
Though this issue is the subject of much debate, there is general agreement that users should use the packet-filtering mechanism available under their operating system, and should not rely on traffic not being forwarded to an interface without careful testing. A safer security configuration is to have firewall rules to deny everything and then additional rules to allow only desired connections.
Read more Security Alerts columns.
Return to the Linux DevCenter.