OpenSSL Timing Attack
by Noel Davis02/24/2003
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in OpenSSL,
Oracle, mod_php, MySQL, pam_xauth, VNC, apcupsd, nethack, Rogue, and BitchX.
OpenSSL
A timing-based attack against OpenSSL has been reported. This attack can be used under some conditions to retrieve a text block, such as a user's password. This attack is described in a paper written by Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux that is to be presented at CRYPTO 2003.
The developers of OpenSSL recommend that users upgrade to OpenSSL version 0.9.7a. Users of the OpenSSL 0.9.6* "engine" release that cannot upgrade to 0.9.7a should apply the file openssl-engine-0.9.6i.tar.gz. Users of precompiled packages should watch their vendor for updates to affected packages.
Oracle
Multiple buffer overflows, format string attacks, and other
vulnerabilities have been reported in the Oracle8i Database, Oracle9i
Application Server, and Oracle9i Database. These vulnerabilities
can be exploited by an attacker to execute arbitrary code with the
permissions of the oracle account, conduct a denial-of-service attack
against Oracle applications, and delete, modify,
and add to data stored in the database.
Users should contact Oracle for details on vulnerabilities and availability of patches. It is also recommended that users reduce their risks by using tools such as a firewall to restrict access to their databases and other Oracle servers, limit the permissions that are available to user accounts used to run Oracle applications, and disable Oracle services that are unused or not needed.
mod_php
Version 4.3.0 of the Apache PHP module mod_php contains a bug in the
code that handles the command line option
--enable-force-cgi-redirect and the php.ini option
cgi.force_redirect. An attacker can exploit this bug to arbitrarily
access any file on the system that is readable by the user running the web server. Under some conditions, the attacker may be
able to execute arbitrary PHP code if they can inject it into a file
readable by the web server (for example, the web server's log files).
The PHP Group has released version 4.3.1 of PHP. Users of binary
packages should watch their vendor for an update and should consider
disabling mod_php until it has been repaired.
|
Related Reading 
Practical UNIX and Internet Security |
MySQL
A double free() bug in MySQL's mysql_change_user() function can be
exploited, under some circumstances, by an attacker as a denial-of-service
attack against the database server. The attacker must be able to log
into the database, and must use a specially-modified MySQL client to
exploit this bug.
Users should upgrade to MySQL release 3.23.55 to repair this bug.
pam_xauth
The PAM module pam_xauth incorrectly handles authorization information
for the root user and, under some conditions, could be exploited to gain
root permissions on a system. Some versions of pam_xauth will forward
the MIT-Magic-Cookie for the root user when the root user uses su to
change to that user. This may be exploitable in several ways to gain
root access to the machine. Versions of pam_xauth distributed with
Red Hat Linux 7.1, 7.2, 7.3, and 8.0; Mandrake Linux 8.1, 8.1/IA64, 8.2,
8.2/PPC, and 9.0; and Mandrake's Multi Network Firewall 8.2 are reported
to be vulnerable.
Affected users should contact their vendor for updated packages. Updated packages have been released by Mandrake and Red Hat.
VNC
VNC (Virtual Network Computing) is used to provide a remote graphical virtual console over a network. VNC is vulnerable to two attacks that may be exploitable by a remote attacker to gain access to the VNC server. The two vulnerabilities are: the MIT X cookie used for authentication by the VNC server is created with a insufficient random-number generator, and the VNC DES authentication scheme has a bug that can be exploited by the attacker by sniffing the connection and "replaying" the authentication response within the same second.
Users should watch their vendors for updated VNC packages. It is strongly suggested that VNC connections be made using an encryption package such as SSH.
apcupsd
The apcupsd daemon provides power management and the control of most of
APC's UPS models. apcupsd is vulnerable to buffer overflows in the
code that handles the network information server and has a remote root
vulnerability in slave setups.
It is recommended that users upgrade to either the stable release of
apcupds version 3.8.6 or the unstable version 3.10.5 as soon as
possible. Users should consider disabling apcupsd until it has been
updated.
nethack
There is a buffer overflow in the game nethack that can be exploited
by a local attacker to execute arbitrary code. On systems where
nethack is installed with a set user id bit (Red Hat Linux and Gento
Linux both install nethack set user id games, for example) the attacker
can gain access to the user id games.
Users should remove the set user id bit from nethack and should
upgrade the game as packages become available.
Rogue
The role playing game Rogue has a buffer overflow in the save game function that can be exploited to execute code with increased permissions of games, in some distributions.
Users should check the permissions of Rogue and remove any set user id bit or set group id bits, and should upgrade the game as packages become available.
BitchX IRC Client
There is a denial-of-service vulnerability in the BitchX IRC Client.
Sending BitchX a badly-formed RPL_NAMREPLY numeric 353 will cause it
to crash.
Users should watch their vendor for updated packages that repair this problem.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
