Snort ProblemsWelcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Snort and SheerDNS, and problems in Xinetd, vixie-cron, Oracle E-Business Suite FNDFS, xfsdump, Ximian Evolution, GtkHTML, kdegraphics, and psbanner.
Snort, a network-intrusion detection system, has a vulnerability in
the stream4 preprocessor module that can be exploited by a remote
attacker to execute arbitrary code with the permissions of the user
that is running Snort (in most cases, root). The stream4 module puts
TCP traffic back together when it has been fragmented across multiple
TCP segments prior to it being analyzed.
It is recommended that users upgrade Snort to version 2.0 or newer as
soon as possible. A workaround for this vulnerability is to comment
out the line "preprocessor stream4_reassemble" in the Snort
configuration file. This workaround will protect the server from this
vulnerability, but it will make it easier to evade the intrusion
detection system by fragmenting an attack across different TCP
segments.
|
Related Reading 
Practical UNIX and Internet Security |
Xinetd, a replacement for inetd, is vulnerable to a denial-of-service
attack when it is configured to reject some connections in hosts.deny.
Affected users should upgrade to Xinetd 2.3.11 or newer, or watch their vendor for an updated package.
vixie-cronThe vixie-cron scheduling daemon's crontab utility contains a
vulnerability that may, under some conditions, be exploitable by a local
attacker to obtain root permissions.
It is recommended that users upgrade to a repaired package as soon as
possible. It has been reported that repaired packages are available
for Debian GNU/Linux 2.2; Linux-Mandrake 7.1, 7.2, 8.0 and Corporate
Server 1.0.1; SuSE Linux 7.1; and Conectiva Linux. Users who cannot
upgrade vixie-cron immediately should consider removing the set-user-id bit from the crontab utility.
The Oracle E-Business Suite FNDFS (FND File Server or Report Review Agent) application is used to retrieve reports from the Concurrent Manager server. A flaw in FNDFS can be remotely exploited to retrieve any file on the system that is readable by the oracle or applmgr accounts. SQL*Net access to the Concurrent Manager server is required to exploit this flaw.
Oracle is reported to have released patches for Oracle Application server 11.0 and 11i and Application Desktop Integrator. It is also recommended that users use a tool such as a firewall to block all SQL*Net traffic from untrusted networks.
xfsdumpThe utility xfsdump does not safely create the file in which quota information is stored during a dump. This problem can be exploited
by a local attacker, under some circumstances, to obtain root
permissions.
Users should watch their vendor for an update that repairs this problem. SGI and Mandrake are reported to have released patches that repair this problem.
Ximian Evolution, a workgroup and individual information management system that runs under Linux and other Unix systems, has several vulnerabilities that can be used in a denial-of-service attack, including a problem in the HTML widget GtkHTML. The system features such as email, group calendaring, contact lists, and task management.
It is recommended that users upgrade to Ximian Evolution 1.2.4 or newer or watch their vendor for updated Ximian Evolution and GtkHTML packages. Updated packages have been announced for Red Hat Linux and Mandrake Linux.
kdegraphicsThe kdegraphics package contains Ghostscript software that is used to
handle PostScript and PDF files. A bug in this software can be
exploited by an attacker creating a carefully crafted file that, when
viewed (or previewed) by a user, can result in arbitrary shell commands
being executed with the permissions of the user. The file can be
delivered to the user though many methods, including a web page or
email. This vulnerability is reported to affect KDE 2 and KDE 3
versions through KDE 3.1.1.
It is strongly recommended that affected users upgrade to KDE 3.0.5b or KDE 3.1.1a as soon as possible. Users who cannot upgrade immediately should exercise care when viewing PostScript and PDF files and should disable any preview features in the KDE software they are using.
|
Also in Security Alerts: |
psbannerThe psbanner utility is distributed as part of the LPRng package and
is used to create a banner in a PostScript format. When used as a
printer filter, psbanner is vulnerable to a symbolic-link race
condition that can be used by a local attacker to create or overwrite
arbitrary files on the system with the permissions under which the printing system
is running.
Users should watch their vendor for an updated package and should
consider disabling psbanner until it has been updated. Users of
systems that do not use the printing system should consider removing
or disabling it.
SheerDNS is a small DNS server that stores every record in its own
file and does not require restarting the server when a change is made
to a record. Its web site states, "SheerDNS is extremely light-weight,
simple, and fast, and written with security in mind." SheerDNS
version 1.0.0 is vulnerable to a buffer overflow in the code that
handles replies in a CNAME request, and a directory traversal
vulnerability. A local user may be able to exploit both of these
vulnerabilities together and execute arbitrary code with the
permissions of the user running SheerDNS.
It is recommended that users upgrade to SheerDNS 1.0.0 or newer as soon as possible. It has been reported that the author of SheerDNS fixed these vulnerabilities the day they where reported to him.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.