Linux Kernel Problems

The 2.4.10 through 2.4.18 Linux kernels have a problem with the O_DIRECT feature that can be exploited, under some conditions, by a local attacker to corrupt a file system and read data from deleted files. In addition, several Ethernet drivers have a vulnerability that can be exploited to read pieces of kernel memory and data from Ethernet packets.

It is recommended that affected users upgrade to the 2.4.19 Linux kernel and watch their vendor for updated Ethernet drivers. Updated packages have been released for Mandrake Linux and Red Hat Linux.

Kerberos Vulnerabilities

Kerberos is a network authentication protocol. Several vulnerabilities have been reported in MIT Kerberos. They include a problem in the FTP client, a denial of service caused by a null pointer, a vulnerability that can allow a user, under some conditions (inter-realm authentication is enabled and other server's principal names are in critical ACLs), to impersonate another user, a bounds checking problem that can be exploited in a denial-of-service attack, and a format string vulnerability.

The Kerberos FTP client contains a vulnerability that can be exploited by a malicious FTP server to execute arbitrary commands on a client's machine or to write to arbitrary files on the user's system. This vulnerability occurs when the FTP server sends a file name to the client that begins with the pipe ("|") character. This will cause the FTP client to pass the filename to a system() call.

MIT recommends that users upgrade to MIT Kerberos 1.2.7 or newer as soon as possible.

DHCP 3 Server Packet Storm

The dhcrelay component of the dhcp3 server can be manipulated by a remote attacker into creating a large number of BOOTP request packets to other DHCP servers, potentially causing a denial-of-service condition or degrading network performance.

Affected users should watch their vendor for repaired dhcp3 packages. Debian has released new packages that repair this problem.

Blade Encoder

The Blade MP3 encoder bladeenc has a vulnerability that can be used to execute arbitrary code on a user's machine when bladeenc is used to encode a carefully-crafted .wav file.

Users should watch their vendor for a repaired version of bladeenc.

WebSphere Advanced Server

The WebSphere XML configuration export file contains password information that can be trivially decoded and used to access keying material and data sources. The passwords are obfuscated with a simple algorithm and Base64Encoded. WebServer Advanced Server 4.0.4 is reported to be affected by this problem.

The export file should be created in a directory that can only be accessed by authorized users, and users should remove unneeded export files.

SpamAssasin

Under some conditions, a remote user can cause SpamAssasin to execute arbitrary code by sending a specially-crafted email message. SpamAssasin versions 2.40 through 2.43 are affected when the spamc utility is configured to use BSMTP mode (i.e., using the -B option).

Affected users should watch their vendor for an update, and should consider disabling SpamAssasin until it has been repaired or configuring it to not use BSMTP mode. Gentoo Linux has released an updated package that repairs this vulnerability.

OpenBSD `chpass`, `chfn`, and `chsh`

The OpenBSD set user id root utility chpass (chfn and chsh are hard-linked to chpass) can be manipulated, under some circumstances, by a local attacker to view part of the contents of any file.

The circumstances required to usefully exploit this problem make it unlikely that an attacker would gain any benefit from doing so. This problem has been fixed in OpenBSD-current and a patch has been made available.

Red Hat Linux 8.0's `kernel-utils` Package

The kernel-utils package that is distributed with Red Hat Linux 8.0 contains the utility uml_net that is incorrectly set user id root and as a consequence, can be abused by normal users to gain control of network interfaces. uml_net is part of user mode Linux (UML).

Users should remove the set user id bit from uml_net with the command chmod -s /usr/bin/uml_net or should upgrade the kernel-utils package to a version in which uml_net is not installed set user id root.

w3m

w3m, a pager- and text-based web browser, can be manipulated by an attacker to insert arbitrary HTML and scripts into frames and image attributes. This vulnerability can be used by the attacker to gain access to a victim's local file system and to steal cookie information.

It is recommended that users upgrade to w3m version 0.3.2.1 or newer as soon as possible, or upgrade to repaired packages from their vendor.

Window Maker

The X Window window manager Window Maker is designed to look and feel similar to the NeXTSTEP graphical user interface. There is a buffer overflow in all versions of Window Maker through version 0.80.0 that can be exploited to execute arbitrary code with the permissions of the user running Window Maker. The buffer overflow is in code that handles the opening of an image file. One possible attack is to place a carefully-crafted image inside of a desktop theme package.

Users should watch for an updated package from their vendor. A repaired package has been released for Red Hat Linux.

HPUX wall

The wall command distributed with HPUX 11.11 is reported to be vulnerable to a buffer overflow that may be exploitable to execute arbitrary code with the permissions of the tty group.

Users should watch HP for an patch that repairs this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.