Date: 18 Jan 2005 23:08:01 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #219
SecurityFocus Linux Newsletter #219
------------------------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. A New Tool In The Spam War
     2. The Perils of Deep Packet Inspection
     3. Apache 2 with SSL/TLS: Step-by-Step, Part 1
II. LINUX VULNERABILITY SUMMARY
     1. Debian Liantian Insecure Temporary File Vulnerability
     2. Dillo Interface Message Format String Vulnerability
     3. Linux IPRoute2 Netbug Script Insecure Temporary File Creatio...
     4. MPG123 Layer 2 Frame Header Heap Overflow Vulnerability
     5. Squid Proxy Malformed NTLM Type 3 Message Remote Denial of S...
     6. HylaFAX Remote Access Control Bypass Vulnerability
     7. BMV Insecure Temporary File Vulnerability
     8. Linux Kernel Multiple Unspecified Vulnerabilities
     9. GNU Mailman Multiple Unspecified Remote Vulnerabilities
     10. Linux Kernel Symmetrical Multiprocessing Page Fault Local 
Pr...
     11. Vim TCLTags and VimSpell.sh Scripts Insecure Temporary File 
...
     12. University of Minnesota Gopher Multiple Remote 
Vulnerabiliti...
     13. Linux Kernel User Triggerable BUG() Unspecified Local 
Denial...
     14. Midnight Commander Multiple Unspecified Vulnerabilities
     15. MPM Guestbook Header Input Validation Vulnerability
     16. Exim IP Address Command Line Argument Local Buffer Overflow 
...
III. LINUX FOCUS LIST SUMMARY
     1. NMAP : Different interpretation of "filtered" ports ... 
(Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. CoreGuard Core Security System
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Firestarter 1.0.0
     2. Network Equipment Performance Monitor 2.2
     3. BitDefender for qmail v1.5.5-2 
     4. Bilbo 0.11
     5. Ipanto Secure 2.0
     6. ROPE for IpTables 20041119
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. A New Tool In The Spam War

Arbitration is part of the next wave of security measures, and can be
effective against spammers who illegally harvest email addresses from a
honeypot on your website.

http://www.securityfocus.com/columnists/291


2. The Perils of Deep Packet Inspection
By Dr. Thomas Porter

This paper looks at the evolution of firewall technology towards Deep
Packet Inspection, and then discusses some of the security issues with 
this
evolving technology.

http://www.securityfocus.com/infocus/1817


3. Apache 2 with SSL/TLS: Step-by-Step, Part 1 
By Artrur Maj

This article begins a series of three articles dedicated to configuring
Apache 2.0 with SSL/TLS support, in order to ensure maximum security 
and
optimal performance of secure web communication. This part introduces 
key
aspects of SSL/TLS and then shows how to compile and configure Apache 
2.0
with support for these protocols.

http://www.securityfocus.com/infocus/1818

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Debian Liantian Insecure Temporary File Vulnerability
BugTraq ID: 12202
Remote: No
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12202
Summary:
The Debian lintian program creates temporary files in an insecure 
manner.  A local attacker could exploit this condition to launch symbolic 
link attacks to cause arbitrary files to be deleted in the context of the 
user running the program.

2. Dillo Interface Message Format String Vulnerability
BugTraq ID: 12203
Remote: Yes
Date Published: Jan 09 2005
Relevant URL: http://www.securityfocus.com/bid/12203
Summary:
Dillo Web browser is prone to a format string vulnerability.  This 
issue is exposed when the browser handles messages to the interface.

The vulnerability may be triggered when a user visits a malicious Web 
page.  If successfully exploited, this will result in execution of 
arbitrary code in the context of the client user.

3. Linux IPRoute2 Netbug Script Insecure Temporary File Creatio...
BugTraq ID: 12208
Remote: No
Date Published: Jan 10 2005
Relevant URL: http://www.securityfocus.com/bid/12208
Summary:
iproute2 is distributed with a script named 'netbug'. The 'netbug' 
script is reported prone to an unspecified insecure temporary file creation 
vulnerability.

It is conjectured that the 'netbug' script creates a temporary file 
using a predictable filename in a world read-writeable location. This 
issue may be leveraged to corrupt arbitrary files with the privileges of a 
user that invokes the vulnerable script.

4. MPG123 Layer 2 Frame Header Heap Overflow Vulnerability
BugTraq ID: 12218
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12218
Summary:
mpg123 is prone to a heap-based buffer overflow vulnerability related 
to handling of layer 2 streams.  This issue is exposed when the player 
loads MP2/MP3 files with malformed header data.

This vulnerability could be exploited to execute arbitrary code in the 
context of the user running the player.

5. Squid Proxy Malformed NTLM Type 3 Message Remote Denial of S...
BugTraq ID: 12220
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12220
Summary:
Squid is reported to be susceptible to a denial of service 
vulnerability in its NTLM authentication module.  This vulnerability presents 
itself when an attacker sends a malformed NTLM type 3 message to Squid. 

Failure of NTLM authentication would result in the Squid application 
denying access to legitimate users of the proxy.

This vulnerability affects Squid 2.5.

6. HylaFAX Remote Access Control Bypass Vulnerability
BugTraq ID: 12227
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12227
Summary:
The HylaFAX daemon is reported prone to a vulnerability that could 
allow unauthorized access to the HylaFAX service. It is reported that the 
issue presents itself due to the methods used to match a given username 
and hostname to an entry in the 'hosts.hfaxd' configuration file.

A remote attacker may exploit this vulnerability to gain unauthorized 
access to the affected service.

7. BMV Insecure Temporary File Vulnerability
BugTraq ID: 12229
Remote: No
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12229
Summary:
BMV creates temporary files in an insecure manner.  A local attacker 
could take advantage of this issue to perform symbolic link attacks and 
corrupt files in the context of the user running the application.

It is not known if this vulnerability could be exploited to gain 
elevated privileges, though at the very least an attacker could cause 
critical files to be overwritten, causing loss of data or a denial of service 
condition.

8. Linux Kernel Multiple Unspecified Vulnerabilities
BugTraq ID: 12239
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12239
Summary:
It is reported that the Linux kernel version 2.6.9 is prone to multiple 
unspecified vulnerabilities. The issues are reported to exist in coda, 
xfs, network bridging, rose network protocol, and sdla wan drivers.

Details regarding the reported vulnerabilities are not currently 
available. It is conjectured that the issues are both local and remote in 
nature and result in a kernel panic when triggered. This is not confirmed.

This BID will be updated as soon as further details in regards to these 
vulnerabilities become available.

9. GNU Mailman Multiple Unspecified Remote Vulnerabilities
BugTraq ID: 12243
Remote: Yes
Date Published: Jan 11 2005
Relevant URL: http://www.securityfocus.com/bid/12243
Summary:
GNU Mailman is reported prone to multiple unspecified remote 
vulnerabilities. The following individual issues are reported:

It is reported that GNU Mailman package for Ubuntu and Debian Linux is 
affected by an information disclosure vulnerability.

Information that is harvested by exploiting this vulnerability may be 
used to aid in further attacks that are launched against a target user, 
or the computer that is hosting the vulnerable software.

A cross-site scripting vulnerability has been discovered in GNU 
Mailman. The issue occurs due to insufficient sanitization of user-supplied 
data. 

It may be possible to exploit this issue in order to steal an 
unsuspecting user's cookie-based authentication credentials, as well as other 
sensitive information. Other attacks are also possible.

Finally, Mailman is reported prone to a weak auto-generated password 
vulnerability. It is reported that, when a user subscribes to a mailing 
list and a password is not specified, Mailman will auto-generate one. 
The password generation algorithm will generate a weak low entropy 
password. This password may potentially be brute forced by an attacker.

10. Linux Kernel Symmetrical Multiprocessing Page Fault Local Pr...
BugTraq ID: 12244
Remote: No
Date Published: Jan 12 2005
Relevant URL: http://www.securityfocus.com/bid/12244
Summary:
A local privilege escalation vulnerability affects the page fault 
handler of the Linux Kernel on symmetric multiprocessor (SMP) computers. 
This issue is due to a race condition error that may allow an attacker to 
gain superuser privileges.

A malicious local attacker may exploit this issue to gain superuser 
privileges on an the affected computer.

11. Vim TCLTags and VimSpell.sh Scripts Insecure Temporary File ...
BugTraq ID: 12253
Remote: No
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12253
Summary:
Multiple Vim scripts are reported prone to an insecure temporary file 
creation vulnerability. It is reported that the Vim 'tcltags' and 
'vimspell.sh' scripts create temporary files in an insecure manner.

An attacker that has local interactive access to a system may exploit 
this issue to corrupt arbitrary files with the privileges of the user 
that is invoking the vulnerable application.

12. University of Minnesota Gopher Multiple Remote Vulnerabiliti...
BugTraq ID: 12254
Remote: Yes
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12254
Summary:
Multiple remote vulnerabilities affect Gopher.  These issues are due to 
a failure of the application to properly sanitize user-supplied data 
and a failure to verify input sizes.

The first issue is an integer overflow, the second issue is a format 
string vulnerability.

An attacker may leverage these issues to crash the affected daemon.  
These issues may also be leveraged to execute arbitrary code with the 
privileges of the gopherd process.  This may facilitate unauthorized 
access.

13. Linux Kernel User Triggerable BUG() Unspecified Local Denial...
BugTraq ID: 12261
Remote: No
Date Published: Jan 13 2005
Relevant URL: http://www.securityfocus.com/bid/12261
Summary:
Linux Kernel is reported prone to a local denial of service 
vulnerability.  

It is reported that this issue presents itself when a large Virtual 
Memory Area (VMA) is created by a user that overlaps with arg pages during 
the exec() system call. 

Successful exploitation will lead to a denial of service condition in a 
vulnerable computer. 

No further details are available at this time. This issue will be 
updated as more information becomes available.

14. Midnight Commander Multiple Unspecified Vulnerabilities
BugTraq ID: 12263
Remote: Unknown
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12263
Summary:
It has been reported that Midnight Commander running on Debian 
operating systems is prone to multiple, unspecified vulnerabilities.  These 
issues are due to various design and boundary condition errors.

These issues could be leveraged by an attacker to execute arbitrary 
code on an affected system, which may facilitate unauthorized access. It 
is also possible for an attacker to carry out symbolic link attacks 
against an affected system, potentially facilitating a system wide denial 
of service.

15. MPM Guestbook Header Input Validation Vulnerability
BugTraq ID: 12266
Remote: Yes
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12266
Summary:
MPM Guestbook is reported prone to an input validation vulnerability 
that may lead to remote command execution or arbitrary file content 
disclosure. The issue is due to a lack of sufficient sanitization performed 
on user-supplied 'header' URI parameter data. 

An attacker may leverage this issue to execute arbitrary PHP code in 
the context of the web server process or disclose the contents of web 
server readable files.

It should be noted that although this vulnerability is reported to 
affect MPM Guestbook version 1.05, other versions might also be affected.

16. Exim IP Address Command Line Argument Local Buffer Overflow ...
BugTraq ID: 12268
Remote: No
Date Published: Jan 14 2005
Relevant URL: http://www.securityfocus.com/bid/12268
Summary:
A local buffer overflow vulnerability triggered by an excessively long 
command line argument affects Exim.  This issue is due to a failure of 
the application to validate the length of user-supplied data prior to 
attempting to store it in process buffers.

An attacker may leverage this issue to execute arbitrary code with the 
privileges of the affected mailer application.  As the application is a 
setuid application, it is possible that further privilege escalation 
may occur.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. NMAP : Different interpretation of "filtered" ports ... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/387004

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary: 

CoreGuard System profile

The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates 
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.

CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets 
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Firestarter 1.0.0
By: Tomas Junnonen
Relevant URL: http://www.fs-security.com/
Platforms: Linux
Summary: 

Firestarter is graphical firewall tool for Linux. The program aims to 
combine
ease of use with powerful features, serving both desktop users and 
administrators.

2. Network Equipment Performance Monitor 2.2
By: Nova Software, Inc.
Relevant URL: http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX, 
Windows 2000, Windows NT, Windows XP
Summary: 

NEPM is a very general, highly configurable, two part software system 
that monitors any type of logged data from IP networked equipment and 
reports it via E-mail and web pages. Current conditions and history from 
systems based on Windows NT/2000 and UNIX can be tracked and reported. 
Most major server, switch and router systems can be monitored, without 
running agents on the target systems.

3. BitDefender for qmail v1.5.5-2 
By: SOFTWIN <mmitu@bitdefender.com>
Relevant URL: http://www.bitdefender.com/bd/site/products.php?p_id=10
Platforms: Linux
Summary: 

BitDefender for qmail is a powerful antivirus software for Linux mail 
servers, which provides proactive protection of message traffic at the 
email server level, eliminating the risk to the entire network that 
could be caused by a negligent user. All messages, both sent and received, 
are scanned in real time, avoiding the possible infections and 
preventing anyone from sending an infected message. BitDefender claims 100% 
detection rate for all viruses in the wild (ITW) through its powerful 
scanning engines certified by the most prestigious testing labs (ICSA in 
February 2003, Virus Bulletin 100% in June 2003 and CheckMark in August 
2003).

4. Bilbo 0.11
By: Bart Somers
Relevant URL: http://doornenburg.homelinux.net/scripts/bilbo/
Platforms: FreeBSD, Linux
Summary: 

Bilbo is an automated, multithreaded nmap-scanner and reporter, capable 
of header fetching and matching the results against a database from 
previous scans.

5. Ipanto Secure 2.0
By: Ipanto
Relevant URL: http://www.ipanto.com/secure
Platforms: HP-UX, Linux, Solaris, UNIX
Summary: 

Ipanto Secure allows ISC based DHCP servers (UNIX, Linux) to send 
signed dynamic DNS updates to a Microsoft DNS, using the GSS-TSIG protocol.

6. ROPE for IpTables 20041119
By: Chris Lowth
Relevant URL: http://www.lowth.com/rope
Platforms: Linux
Summary: 

ROPE allows IpTables to block P2P and other complex protocols 
accurately.

It is a highly flexible iptables module that allows complex protocols 
(such as are used by P2P software) to be identified. It is an in-kernel 
scripting language designed for IP packet matching. A growing number of 
sample configurations (scripts) are provided, including: blocking 
Gnutella and Bittorrent clients, blocking large web downloads - etc. Plenty 
more to come.

ROPE is part of the P2PWall

VII. SPONSOR INFORMATION
-----------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------