Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at the latest release of
OpenSSH version 3.0.1; buffer overflows in the HP-UX line printer
ziptool, CDE Subprocess Control
Service Server, and Open UNIX and UnixWare's PPP Utilities; a minor
information leakage problem in OpenSSH and S/Key; and problems in Red
Hat's Stronghold, SuSE
susehelp, and the Cyrus SASL library.
The latest release of OpenSSH version 3.0.1 supports SSH protocol
versions 1.3, 1.5, and 2.0, and includes support for
sftp (both client
and server). It fixes a variety of bugs, including a security
vulnerability that can allow an unauthorized user to authenticate on
systems that have KerberosV enabled, a potential denial-of-service
vulnerability, and others.
Users of OpenSSH are encouraged to upgrade.
The line printer daemon
rlpdaemon that is distributed with HP-UX has a
buffer overflow that can be exploited by a remote attacker to gain
root permissions on the server. HP-UX versions 10.01, 10.10, 10.20,
11.00, and 11.11 are reported to be vulnerable. HP-UX ships with the
line printer daemon enabled by default.
Affected users should apply the appropriate patch and should consider restricting access or firewalling the line printer daemon. Administrators of systems not using the line printer daemon system should consider disabling or removing the package.
pmake, a version of
make that attempts to create programs
in parallel, is vulnerable to a buffer overflow and a format string
vulnerability. On systems where
pmake is installed set user id root,
these vulnerabilities can be exploited by a local user to execute
arbitrary code with the permissions of the root user. Versions 2.1.33
and earlier have been reported to be vulnerable.
Users should watch for an updated version of
pmake and should remove
the set user id bit until
pmake has been repaired.
ziptool application shipped with SuSE Linux has a buffer overflow
that can be used, under some circumstances, by a local attacker to
execute arbitrary code with root permissions. In order for this
attack to be carried out, a Zip drive must be configured and a Zip disk
must be inserted.
SuSE has updated the
ziptool package and recommends that affected users
upgrade as soon as possible.
It has been reported that there is a buffer overflow in the CDE
Subprocess Control Service Server
dtspcd that affects all Unix systems
using Common Desktop Environment (CDE). This buffer overflow can
be exploited remotely to execute arbitrary commands with the
permissions of the root user. The Subprocess Control Service Server
is started by default in all CDE installations, runs as root, and by
default will accept remote connections.
It is recommended that users contact their vendor for an update to the
CDE Subprocess Control Service Server. Users should also consider
limiting access to the CDE Subprocess Control Service Server by using a
firewall or a tool such as
It has been reported that there are several minor problems with OpenSSH's implementation of the S/Key and OPIE one-time password systems. These problems can be used by an attacker to gather information about a system as part of an attack. The one-time password systems send a challenge string that contains the hash algorithm used, a seed value that changes when the user changes his passphrase, and the number of the password (which can tell the attacker how often and when a user logs in). The OpenSSH S/Key implementation will only provide the challenge string when a user exists and is using one-time passwords. It has been reported that OpenSSH relies on the S/Key library to create fake challenges.
It is not clear if there are good solutions to these problems. Systems that require the security of one-time passwords may also need to limit what addresses can connect by using a firewall or by configuring SSH to limit connections to authorized hosts.
Red Hat's Stronghold, a secure SSL Web server based on Apache, has a vulnerability that can be used to disclose sensitive system files and to gather information that can be used as part of an attack on the system.
Two URLs (
stronghold-status) will return
information and should have access restrictions placed upon them.
Affected users should upgrade to Stronghold/3.0 build 3015 as soon as
susehelp package is a collection of CGI scripts that provide a
help system to users. Vulnerabilities in the package can be exploited
by a remote user to execute arbitrary commands with the permissions of
wwwrun-user user account. This vulnerability affects SuSE
versions 7.2 and 7.3.
Users should install the updated
susehelp package available from SuSE.
The Cyrus SASL library has a format-string bug in one of its logging functions that can be used remotely to execute arbitrary code. The library is used to provide an authentication API for mail clients and servers.
Users of the Cyrus SASL library should upgrade it to a repaired version as soon as possible.
The PPP utilities supplied with Open UNIX 8.0.0 and UnixWare 7.1.0 and
7.1.1 have a buffer overflow in several utilities that link to
pppattach. These buffer overflows can be used by a local attacker to
gain root access.
Caldera recommends that affected users upgrade their PPP binaries and
that users who do not use PPP remove the set user id bit from
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.