A New Worm Targets Linux04/10/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at the Linux based Adore Worm; buffer overflows in
ntpd; and vulnerabilities in SharePlex, Ultimate Bulletin Board, Lucent/ORiNOCO Closed Network, Red Hat's OpenSSH, Cisco Content Services Switches, and IPFilter.
A new variation of the Ramen and Lion worms, Adore, has been uncovered by the SANS Institute. This new worm has also been referred to as the "Red Worm." Unlike the Lion worm which only exploits a vulnerability in BIND, the Adore worm looks for known vulnerabilities in BIND, LPRng,
When it infects a system, the Adore worm replaces the
ps utility with a trojaned version and copies the original to
/usr/bin/adore. It then sends email to
firstname.lastname@example.org and executes a daemon named
icmp that listens on the network and functions as a back door into the system. In addition, the Adore worm will set up a daily "cronjob" in cron daily that removes all traces of itself and reboots the machine.
Sans has released the Adore worm detection utility
adorefind is ,it provides options to stop the Worm's running applications and remove the worm from the system.
Preventing Distributed Denial of Service Attacks -- Six ways to avoid becoming an unwilling collaborator.
Securing Your Apache Server -- Excerpt from Chapter 13 of O'Reilly's book Apache: The Definitive Guide, 2nd Edition. Enable Apache to communicate securely over Secure Sockets Layer (SSL). Covers building, configuring, and securing an SSL-enabled Apache server under Unix.
Also in Security Alerts:
xntpd are daemons that implement the Network Time Protocol. They have a remotely executable buffer overflow that can be used by an attacker to crash the daemon and under some circumstances execute arbitrary code as the root user. As the Network Time Protocol uses UDP, packets used to attack the system can be spoofed. A remote root exploit program that attacks FreeBSD systems using this vulnerability is known to be available.
System administrators should turn off
xntpd if their systems are not using the Network Time Protocol. If their systems are using the Network Time Protocol, unauthorized connections to
xntpd should be blocked at the firewall. All users of
xntpd should watch their vendor for an update.
Shareplex is a product from Quest software that is used to replicate Oracle databases. Shareplex has a vulnerability that can be exploited to read any file on the server regardless of the permissions of the file.
Users of Shareplex are encouraged to upgrade to version 188.8.131.52 or newer.
Lucent/ORiNOCO Closed Network is a proprietary access control method for 802.11 wireless networks provided by ORiNOCO wireless cards. Closed Network uses a shared secret to provide access to the network. Several of the 802.11 management messages contain this secret and are broadcast without being encrypted. Once an attacker has sniffed the packets containing one of these management messages containing an unencrypted shared secret, they can connect to and access the network fully if WEP is not enabled. If WEP is enabled, the attacker can then use the known flaws in WEP to attack the network.
Users of 802.11 networks protected or not by Closed Network should not depend on the 802.11 protocol or Closed Network to protect the security and privacy of their communications, but should use other tools such as SSL or SSH to further secure and encrypt their communications.
The OpenSSH packages shipped with Red Hat Linux 7 will not correctly start or restart the
sshd daemon if any users are logged in remotely with SSH. This is caused by the initialization script using the
daemon() shell function to start the
sshd daemon. The
daemon() shell function will not allow the daemon to start if there is already a process of the same name running.
Red Hat recommends users of Red Hat Linux 7 update their OpenSSH packages.
The Cisco Content Services switch (also known as Arrowpoint) has a vulnerability that can be used by an attacker to increase their permissions and configure the switch. The attackers can increase their permissions by entering keystrokes that allow them to enter debug mode, then from debug mode they can become root. The attacker must first have access to a valid user account on the switch before launching this attack. This vulnerability affects versions prior to 4.01B19s.
Cisco recommends that users upgrade to version 4.01B19s or newer, and that users use encrypted communications software such as SSH to protect the management traffic from interception.
IPFilter is a multiplatform TCP/IP packet filter distributed with FreeBSD, NetBSD, and OpenBSD that can be used to build a firewall. A bug in IPFilter may forward any packet if fragment cacheing is turned on. IPFilter checks the fragment cache before any rules are checked.
It is recommended that users disable fragment cacheing and upgrade to version 3.4.17 or newer as soon as possible.
Some versions of the TurboTax software for Windows and TurboTax web had a bug that could save passwords on the user's hard drive or on Intuit's servers. This affected TurboTax for Windows users that imported tax information from their financial institutions from January 31 through March 4, 2001, and from March 4 to April 4, 2001, but did not update their software when prompted. TurboTax for the web users who downloaded their tax file onto their local computer may have had their password saved as part of the file. Intuit has deleted all passwords that were saved to their servers.
Intuit has stated that no tax returns or refunds have been affected by this problem, but as a precaution they recommend that users change their PIN or password at each financial institution that they imported information from. They also recommend that users of TurboTax for Windows update their software using the one-click update. Users who downloaded their tax file from the web version of TurboTax should delete this file and redo the download.
A bug was announced on Bugtraq that Ultimate Bulletin Board version 5.47e had a vulnerability that could be used to read messages in private forums.
Infopop Corporation in its response to the advisory pointed out that this version is an old and no longer maintained version and that the newer and maintained version (6.x) is available for a free download to all license holders.
Infopop Corporation has announced a patch for version 5.47e for anyone that still needs it but highly recommends that all users upgrade to version 6.03 or newer.
Read more Security Alerts columns.
Return to the Linux DevCenter.