Date: 6 Jul 2004 20:04:33 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #191
SecurityFocus Linux Newsletter #191
------------------------------------

This Issue is Sponsored By: SecurityFocus 

Want to keep up on the latest security vulnerabilities? Don't have time 
to
visit a myriad of mailing lists and websites to read the news? Just add 
the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all 
the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Close the E-Mail Wiretap Loophole
     2. Multi-Layer Intrusion Detection Systems
     3. The Allure and Curse of Complexity
II. LINUX VULNERABILITY SUMMARY
     1. Apache ap_escape_html Memory Allocation Denial Of Service Vu...
     2. Sun Java Runtime Environment Font Object Assertion Failure D...
     3. Dr. Web Unspecified Buffer Overflow Vulnerability
     4. Linux Kernel Sbus PROM Driver Multiple Integer Overflow Vuln...
     5. Pavuk Remote Stack-Based Buffer Overrun Vulnerability
     6. Linux Kernel IPTables Sign Error Denial Of Service Vulnerabi...
     7. RSBAC Jail SUID And SGID File Creation Vulnerability
     8. IBM Lotus Domino IMAP Quota Changing Vulnerability
     9. FreeBSD Linux Binary Compatibility Memory Access Vulnerabili...
     10. Esearch eupdatedb Symbolic Link Vulnerability
III. LINUX FOCUS LIST SUMMARY
     1. Weird! (Thread)
     2. Last login missing (Thread)
     3. Error installing Clamav? (Thread)
     4. just running tcpdump makes promisc mode? (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Cyber-Ark  Inter-Business Vault
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Ettercap v0.7.0 pre2
     2. SnortNotify 1.02
     3. Devil-Linux v1.2 Beta 1
     4. GNU Anubis v3.9.94
     5. DNSSEC Walker v3.4
     6. Linux Intrusion Detection System (LIDS) v2.6.6
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Close the E-Mail Wiretap Loophole
By Mark Rasch

Some pretty sleazy operators are slipping through a hole in a federal
wiretap law that arguably leaves your e-mail unprotected from snooping.

http://www.securityfocus.com/columnists/253


2. Multi-Layer Intrusion Detection Systems
By Nathan Einwechter

This article discusses framework for a mIDS, a system that brings 
together
many layers of technology into a single monitoring and analysis engine,
from integrity monitoring software like Tripwire to system logs, IDS 
logs,
and firewall logs.

http://www.securityfocus.com/infocus/1788


3. The Allure and Curse of Complexity
By Jason Miller 

The curse of complexity is the bane of every security administrator, so
UNIX users take your pick: would you like BSD or Linux? 

http://www.securityfocus.com/columnists/252

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Apache ap_escape_html Memory Allocation Denial Of Service Vu...
BugTraq ID: 10619
Remote: Yes
Date Published: Jun 28 2004
Relevant URL: http://www.securityfocus.com/bid/10619
Summary:
Apache Web Server is reportedly affected by a memory allocation based 
denial of service vulnerability.  This issue is due to a failure of the 
server to handle excessivley long HTTP header strings. 

This issue would allow an attacker to cause the affected application to 
crash, denying service to legitimate users.

Although Apache version 2.0.49 reportedly affected by this issue, it is 
likely that earlier versions are affected as well.

2. Sun Java Runtime Environment Font Object Assertion Failure D...
BugTraq ID: 10623
Remote: Yes
Date Published: Jun 28 2004
Relevant URL: http://www.securityfocus.com/bid/10623
Summary:
The Sun Java Runtime Environment Font object is reportedly vulnerable 
to an assertion failure denial of service vulnerability.  This issue is 
due to a failure of the process to handle exceptional conditions when 
processing font objects.

This issue is reported to affect Java Runtime Environment versions 
1.4.1 through 1.4.2; it is likely however that other versions are also 
affected.  This issue will crash Internet browsers running an affected Java 
plug-in as well.

This issue may be exploited by an attacker to cause a vulnerable 
application, as well as all processes spawned from the application, to crash, 
denying service to legitimate users. Due to the scope of the crash, 
data loss may occur.

3. Dr. Web Unspecified Buffer Overflow Vulnerability
BugTraq ID: 10628
Remote: Yes
Date Published: Jun 29 2004
Relevant URL: http://www.securityfocus.com/bid/10628
Summary:
It has been reported that an unspecified buffer overflow vulnerability 
exists in Dr. Web.

Users of Dr. Web have reported seeing this message logged to syslog by 
ProPolice on OpenBSD computers:
drwebd: stack overflow in function int scanMail(int, time_t *, int, 
int, const char *)

An unspecified buffer overflow in the scanMail() function may be 
exploitable. If it is, attempts to exploit it may result in the affected 
application crashing. This may also be leveraged to execute arbitrary code 
in the context of the Dr. Web process.

As more information is known, this BID will be updated.

4. Linux Kernel Sbus PROM Driver Multiple Integer Overflow Vuln...
BugTraq ID: 10632
Remote: No
Date Published: Jun 29 2004
Relevant URL: http://www.securityfocus.com/bid/10632
Summary:
It is reported that the OpenPROM Linux kernel driver contains multiple 
integer overflow vulnerabilities.

Two vulnerabilities are reported to exist in the OpenPROM driver, both 
involve overflowing an integer value. These values are used to allocate 
kernel memory, and then subsequently to copy data into the kernel. This 
could lead to overwriting large amounts of kernel memory.

These vulnerabilities could lead to a system crash, or possible code 
execution in the context of the kernel.

Some versions of the Linux kernel are vulnerable to both overflows, 
other versions are only susceptible to one. Kernel version 2.6.6 does not 
appear to be vulnerable.

5. Pavuk Remote Stack-Based Buffer Overrun Vulnerability
BugTraq ID: 10633
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10633
Summary:
Pavuk is reported prone to a remote buffer overrun vulnerability. It is 
reported that the issue exists due to a lack of boundary checks 
performed on third party data, that is received from remote HTTP servers, 
before the data is copied into a finite stack-based buffer. 

Ultimately a remote malicious site may exploit this condition to 
execute arbitrary code in the context of the user who is running the 
vulnerable Pavuk software.

6. Linux Kernel IPTables Sign Error Denial Of Service Vulnerabi...
BugTraq ID: 10634
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10634
Summary:
It has been reported that the Linux kernel is affected by a denial of 
service vulnerability in the iptables implementation.  This issue is due 
to a failure of iptables to handle certain TCP packet header values.

An attacker can exploit this issue to cause the iptables implementation 
to consume all CPU resources due to an infinite loop, denying service 
to legitimate users.

7. RSBAC Jail SUID And SGID File Creation Vulnerability
BugTraq ID: 10640
Remote: No
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10640
Summary:
The process jail feature of RSBAC reportedly improperly allows files to 
be created with SUID and SGID attributes.

These files can then be used to escalate the privileges inside the 
jail. This may allow for further attacks and possible system compromises.

Versions 1.2.2 and 1.2.3 are reported to be vulnerable to this issue. A 
patch has been released by the vendor.

8. IBM Lotus Domino IMAP Quota Changing Vulnerability
BugTraq ID: 10642
Remote: Yes
Date Published: Jun 30 2004
Relevant URL: http://www.securityfocus.com/bid/10642
Summary:
IBM Lotus Domino server is reported to improperly allow users to alter 
their own mail storage quota values.

A user's mailbox is assigned a quota to limit the amount of data that 
can be consumed by email on the server. This quota is assigned by the 
administrator of the application.

An attacker could possibly use this vulnerability to raise their 
mailbox's quota to a very large amount, and then proceed to fill the mail 
servers storage device. This will result in a denial of service condition, 
where new mail will not be able to be stored on the full disk.

Domino version 6.5.0 and 6.5.1 are reported vulnerable to this issue.

9. FreeBSD Linux Binary Compatibility Memory Access Vulnerabili...
BugTraq ID: 10643
Remote: No
Date Published: Jul 01 2004
Relevant URL: http://www.securityfocus.com/bid/10643
Summary:
It has been reported that FreeBSD is affected by a memory access 
vulnerability when implementing linux binary compatibility.  This issue is 
due to a programming error that causes certain memory to be accessed 
without proper validation.

This issue would allow an attacker to disclose and overwrite kernel 
memory, resulting in information disclosure, privilege escalation and 
potential denial of service.

10. Esearch eupdatedb Symbolic Link Vulnerability
BugTraq ID: 10644
Remote: No
Date Published: Jul 01 2004
Relevant URL: http://www.securityfocus.com/bid/10644
Summary:
It has been reported that eupdatedb, an esearch utility is affected by 
a symbolic link vulnerability.  This issue is due to a failure of the 
application to properly handle temporary file creation.

An attacker can leverage this vulnerability to create an arbitrary file 
with the permissions of an unsuspecting user that has activated the 
vulnerable utility; facilitating a number of possible attacks.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Weird! (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/368067

2. Last login missing (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/368004

3. Error installing Clamav? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/368000

4. just running tcpdump makes promisc mode? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/367997

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: 
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary: 

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business 
Vault, an information security solution that enables organizations to 
safely overcome traditional network boundaries in order to securely share 
business information among customers, business partners, and remote 
branches. It provides a seamless, LAN-like experience over the Internet 
that includes all the security, performance, accessibility, and ease of 
administration required to allow organizations to share everyday 
information worldwide. To learn more about these core attributes of the 
Inter-Business Vault click on the relevant link below:

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Ettercap v0.7.0 pre2
By: ALoR <alor@users.sourceforge.net>
Relevant URL: http://ettercap.sourceforge.net/
Platforms: FreeBSD, Linux, MacOS, NetBSD, Windows 2000, Windows NT, 
Windows XP
Summary: 

Ettercap is a network sniffer/interceptor/logger for ethernet LANs. It 
supports active and passive dissection of many protocols (even ciphered 
ones, like SSH and HTTPS). Data injection in an established connection 
and filtering on the fly is also possible, keeping the connection 
synchronized. Many sniffing modes were implemented to give you a powerful 
and complete sniffing suite. Plugins are supported. It has the ability to 
check whether you are in a switched LAN or not, and to use OS 
fingerprints (active or passive) to let you know the geometry of the LAN.

2. SnortNotify 1.02
By: Adam Ely
Relevant URL: http://www.780inc.com/snortnotify/
Platforms: Linux
Summary: 

Running from cron at a specified interval SnortNotify will search a 
snort database for new alerts. If new alerts match a pre configured 
priority level, an email will be sent to the contact. The email will include 
Sensor name, the signaturename, and the timestamp.

3. Devil-Linux v1.2 Beta 1
By: Heiko Zuerker <heiko@devil-linux.org>
Relevant URL: http://www.devil-linux.org/download.htm
Platforms: Linux
Summary: 

Devil-Linux is a special Linux distribution which is used for 
firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and 
secure Linux system. Configuration is saved on a floppy disk, and it 
has several optional packages.

4. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary: 

GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail 
User Agent) and the MTA (Mail Transport Agent), and can perform various 
sorts of processing and conversion on-the-fly in accordance with the 
sender's specified rules, based on a highly configurable regular 
expressions system. It operates as a proxy server, and can edit outgoing mail 
headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels 
using the TLS/SSL encryption even if your mail user agent doesn't 
support it, or tunnel a connection through a SOCKS proxy server.

5. DNSSEC Walker v3.4
By: Simon Josefsson
Relevant URL: http://josefsson.org/walker/
Platforms: Linux, UNIX
Summary: 

DNSSEC Walker is a tool to recover DNS zonefiles using the DNS 
protocol. The server does not have to support zonetransfer, but the zone must 
contain DNSSEC "NXT" records.

6. Linux Intrusion Detection System (LIDS) v2.6.6
By: Xie Hua Gang, xhg@gem.ncic.ac.cn
Relevant URL: http://www.lids.org/download.html
Platforms: Linux
Summary: 

The Linux Intrusion Detection System is a patch which enhances the 
kernel's security. When it is in effect, chosen files access, all 
system/network administration operations, any capability use, raw device, mem, 
and I/O access can be made impossible even for root. You can define 
which program can access which file. It uses and extends the system 
capabilities bounding set to control the whole system and adds some network 
and filesystem security features to the kernel to enhance the security. 
You can finely tune the security protections online, hide sensitive 
processes, receive security alerts through the network, and more.

VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SecurityFocus 

Want to keep up on the latest security vulnerabilities? Don't have time 
to
visit a myriad of mailing lists and websites to read the news? Just add 
the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all 
the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------