Date: 15 Feb 2005 22:48:12 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #223
SecurityFocus Linux Newsletter #223
------------------------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
I. FRONT AND CENTER
     1. More Advisories, More Security
II. LINUX VULNERABILITY SUMMARY
     1. SuSE Linux Open-Xchange Unspecified Path Traversal Vulnerabi...
     2. Linux Kernel ntfs_warning() and ntfs_error() Local Denial of...
     3. Multiple Web Browser International Domain Name Handling Site...
     4. Mozilla Firefox About Configuration Hidden Frame Remote Conf...
     5. XGB Authentication Bypass Vulnerability
     6. BrightStor ARCserve/Enterprise Backup UDP Probe Remote Buffe...
     7. XView Multiple Unspecified Local Buffer Overflow Vulnerabili...
     8. GNU Mailman Remote Directory Traversal Vulnerability
     9. IBM DB2 Universal Database Unspecified Vulnerability
     10. IBM DB2 XML Extender UDF Unauthorized File Access 
Vulnerabil...
     11. IBM DB2 Universal Database Server Network Message 
Processing...
     12. IBM DB2 Unspecified XML Functions Remote Arbitrary Code 
Exec...
     13. IBM DB2 Universal Database Server Object Creation Remote 
Cod...
     14. F-Secure ARJ Handling Buffer Overflow Vulnerability
     15. Yongguang Zhang HZTTY Local Arbitrary Command Execution 
Vuln...
     16. Apache mod_python Module Publisher Handler Information 
Discl...
     17. Armagetron Advanced Multiple Remote Denial Of Service 
Vulner...
     18. BrightStor ARCserve/Enterprise Backup Default Backdoor 
Accou...
     19. XPCD PCDSVGAView Local Buffer Overflow Vulnerability
     20. Netkit RWho Packet Size Denial Of Service Vulnerability
     21. Gentoo Portage-Built Webmin Binary Package Build Host Root 
P...
III. LINUX FOCUS LIST SUMMARY
     NO NEW POSTS FOR THE WEEK 2005-02-08 to 2005-02-15.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. CoreGuard Core Security System
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. KSB - Kernel Socks Bouncer 2.6.10
     2. DigSig 1.3.2
     3. Firestarter 1.0.0
     4. Network Equipment Performance Monitor 2.2
     5. BitDefender for qmail v1.5.5-2 
     6. Bilbo 0.11
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. More Advisories, More Security
By Thierry Carrez
More and more, we see articles questioning the security of a given 
platform
based solely on the number of advisories published -- and this approach 
is
simply wrong.
http://www.securityfocus.com/columnists/299

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. SuSE Linux Open-Xchange Unspecified Path Traversal Vulnerabi...
BugTraq ID: 12448
Remote: Yes
Date Published: Feb 04 2005
Relevant URL: http://www.securityfocus.com/bid/12448
Summary:
SuSE Linux Open-Xchange (SLOX) is reported prone to an unspecified path 
traversal vulnerability. It is likely that this vulnerability may be 
exploited remotely to disclose restricted information outside of a root 
directory, this is not confirmed.

This BID will be updated as soon as further information regarding this 
vulnerability is made available.

2. Linux Kernel ntfs_warning() and ntfs_error() Local Denial of...
BugTraq ID: 12460
Remote: No
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12460
Summary:
Linux Kernel is reported prone to a local denial of service 
vulnerability.

It is reported that this vulnerability exists in the 'ntfs_warning()' 
and 'ntfs_error()' functions when compiled without debug.

Further details are not currently available.  This BID will be updated 
when more information becomes available.

Linux Kernel 2.6.11-rc2 is reported vulnerable to this issue.  All 2.6 
versions are likely vulnerable as well.

3. Multiple Web Browser International Domain Name Handling Site...
BugTraq ID: 12461
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12461
Summary:
Multiple Web browsers are reported prone to vulnerabilities that 
surround the handling of International Domain Names.

The vulnerabilities exist due to inconsistencies in how International 
Domain Names are processed. Reports indicate that this inconsistency can 
be leveraged to spoof address bar, status-bar, and SSL certificate 
values.

These vulnerabilities may be exploited by a remote attacker to aid in 
phishing style attacks. This may result in the voluntary disclosure of 
sensitive information to a malicious website due to a false sense of 
trust.

Although these vulnerabilities are reported to affect Web browsers, 
mail clients that depend on the Web browser to generate HTML code may also 
be affected.

4. Mozilla Firefox About Configuration Hidden Frame Remote Conf...
BugTraq ID: 12466
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12466
Summary:
A remote configuration manipulation vulnerability affects Mozilla 
Firefox.  This issue is due to a failure of the application to properly 
secure sensitive configuration scripts from being activated by remote 
attackers.

An attacker may leverage this issue to alter an unsuspecting user's 
configuration settings; this may lead to a false sense of security as 
sensitive settings may be manipulated without the user's knowledge.

5. XGB Authentication Bypass Vulnerability
BugTraq ID: 12489
Remote: Yes
Date Published: Feb 08 2005
Relevant URL: http://www.securityfocus.com/bid/12489
Summary:
xGB is reportedly affected by a vulnerability that could permit 
unauthorized administrator access.  This issue is due to the application 
failing to properly verify user credentials.

A malicious user could exploit this vulnerability to bypass user 
authentication and gain administrative access.

This vulnerability is reported to affect xGB version 2.0; earlier 
versions may also be vulnerable.

6. BrightStor ARCserve/Enterprise Backup UDP Probe Remote Buffe...
BugTraq ID: 12491
Remote: Yes
Date Published: Feb 08 2005
Relevant URL: http://www.securityfocus.com/bid/12491
Summary:
Various Computer Associates BrightStor ARCserve/Enterprise Backup 
products are prone to a remote buffer overflow vulnerability.  This issue 
presents itself because the affected applications do not perform boundary 
checks prior to copying user-supplied data into sensitive process 
buffers.  

A remote attacker may execute arbitrary code on a vulnerable computer 
to gain unauthorized access to it.

7. XView Multiple Unspecified Local Buffer Overflow Vulnerabili...
BugTraq ID: 12500
Remote: No
Date Published: Feb 09 2005
Relevant URL: http://www.securityfocus.com/bid/12500
Summary:
It is reported that a number of unspecified buffer overflow 
vulnerabilities exist in the xview library. These issues could allow a local user 
to execute arbitrary code via linked executables that are installed 
with setuid privileges. 

Debian has identified these issues in xview-3.2p1.4.  Other versions 
affecting various platforms may be vulnerable as well.

8. GNU Mailman Remote Directory Traversal Vulnerability
BugTraq ID: 12504
Remote: Yes
Date Published: Feb 09 2005
Relevant URL: http://www.securityfocus.com/bid/12504
Summary:
Mailman, when hosted on a web server that does not strip extra slashes 
from URLs (i.e. Apache 1.3.x), is reported prone to a remote directory 
traversal vulnerability.

The remote attacker may exploit this vulnerability to disclose the 
contents of web server readable files. Symantec has received reports of the 
username and password databases of public mailing lists being 
compromised through the exploitation of this vulnerability. 

Information that is harvested by leveraging this vulnerability may be 
used to aid in further attacks against a target computer or victim user.

9. IBM DB2 Universal Database Unspecified Vulnerability
BugTraq ID: 12508
Remote: Yes
Date Published: Feb 09 2005
Relevant URL: http://www.securityfocus.com/bid/12508
Summary:
IBM DB2 Universal Database is reported prone to a vulnerability. The 
details of this issue are unspecified.

The discoverer of this issue has reported that further details 
regarding this vulnerability will be released on the 9th of May 2005. When 
these details are released this BID will be updated with the additional 
details.

This vulnerability is reported to exist in IBMDB2 Universal Database 
version 8.1 and previous versions.

10. IBM DB2 XML Extender UDF Unauthorized File Access Vulnerabil...
BugTraq ID: 12510
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12510
Summary:
IBM DB2 is prone to a security vulnerability that may allow 
unauthorized read or write access to files on the computer in the context of the 
server process.  This issue exists in the XML Extender UDFs 
(User-Defined Functions).  This could result in information disclosure as well as 
corruption of files on the computer.  There is a theoretical possibility 
of code execution.

This vulnerability appears similar in nature to BID 12170 IBM DB2 XML 
Function Unauthorized File Creation and Disclosure Vulnerability.

This issue may be related to BID 12508 IBM DB2 Universal Database 
Unspecified Vulnerability.

11. IBM DB2 Universal Database Server Network Message Processing...
BugTraq ID: 12511
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12511
Summary:
A remote code execution vulnerability affects IBM DB2 Universal 
Database Server.  This issue is due to a failure of the application to 
properly handle network messages under certain circumstances.

This issue may be related to BID 12508 IBM DB2 Universal Database 
Unspecified Vulnerability.

An attacker with a database connection may leverage this issue to 
execute arbitrary code within the context of the affected database instance, 
potentially facilitating unauthorized access or privilege escalation.

12. IBM DB2 Unspecified XML Functions Remote Arbitrary Code Exec...
BugTraq ID: 12512
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12512
Summary:
IBM DB2 is reported prone to a remote arbitrary code execution 
vulnerability.  This issue can allow a remote attacker to completely compromise 
a vulnerable database server.

IBM DB2 version 8 FixPak 7 and FixPak 7a are reported vulnerable to 
this issue.

Further details are not available currently.  It is possible that this 
issue results from an overflow condition, however, this is not 
confirmed at the moment.  It is also possible that an SQL injection type attack 
may be used to leverage this issue.  This BID will be updated when more 
information becomes available.

This issue may be related to BID 12508 IBM DB2 Universal Database 
Unspecified Vulnerability.

13. IBM DB2 Universal Database Server Object Creation Remote Cod...
BugTraq ID: 12514
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12514
Summary:
A remote code execution vulnerability affects IBM DB2 Universal 
Database Server.  This issue is due to a failure of the application to 
properly handle the creation of new objects.

This issue may be related to BID 12508 IBM DB2 Universal Database 
Unspecified Vulnerability.

An attacker with a database connection may leverage this issue to 
execute arbitrary code within the context of the affected database instance, 
potentially facilitating unauthorized access or privilege escalation.

14. F-Secure ARJ Handling Buffer Overflow Vulnerability
BugTraq ID: 12515
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12515
Summary:
A buffer overflow vulnerability exists in the ARJ handling code in the 
Anti-Virus library included in various F-Secure products.  The 
vulnerability is due to insufficient bounds check of ARJ header fields which 
will be copied into a finite buffer on the heap.  This vulnerability 
could be exploited by a malicious ARJ archive to execute arbitrary code in 
the context of the affected applications.

15. Yongguang Zhang HZTTY Local Arbitrary Command Execution Vuln...
BugTraq ID: 12518
Remote: No
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12518
Summary:
A local, arbitrary command execution vulnerability affects Yongguang 
Zhang hztty.  The underlying cause of this issue is currently unknown. 
This BID will be updated as more information is released.

An attacker may leverage this issue to execute arbitrary commands with 
the privileges of the 'utmp' group, potentially facilitating privilege 
escalation.

16. Apache mod_python Module Publisher Handler Information Discl...
BugTraq ID: 12519
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12519
Summary:
The mod_python module publisher handler is prone to a remote 
information disclosure vulnerability.  This issue may allow remote unauthorized 
attackers to gain access to sensitive objects.

Information disclosed through the exploitation of this issue may aid in 
launching further attacks against an affected server.

All versions of mod_python are considered vulnerable at the moment.

17. Armagetron Advanced Multiple Remote Denial Of Service Vulner...
BugTraq ID: 12520
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12520
Summary:
Multiple denial of service vulnerabilities affect Armagetron Advanced.  
These issues are due to a failure of the application to handle 
malformed network data.

An attacker may leverage these issues to cause a remote denial of 
service condition in affected applications.

18. BrightStor ARCserve/Enterprise Backup Default Backdoor Accou...
BugTraq ID: 12522
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12522
Summary:
BrightStor ARCserve/Enterprise Backup products contain a backdoor 
account.  

It is reported that hard coded credentials are present in the 
'UniversalAgent' service of BrightStor ARCserve/Enterprise Backup products for 
UNIX platforms. 

An attacker may carry out various attacks such as arbitrary command and 
code execution by using the hard coded credentials.  This may lead to a 
complete compromise of an affected computer.

19. XPCD PCDSVGAView Local Buffer Overflow Vulnerability
BugTraq ID: 12523
Remote: No
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12523
Summary:
A local buffer overflow vulnerability affects xpcd pcdsvgaview.  This 
issue is due to a failure of the application to securely copy 
user-supplied input into finite process buffers.

An attacker may leverage this issue to execute arbitrary code with 
superuser privileges.

20. Netkit RWho Packet Size Denial Of Service Vulnerability
BugTraq ID: 12524
Remote: Yes
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12524
Summary:
The Netkit rwho daemon is prone to a denial of service vulnerability.  
This condition occurs when the server processes packets with malformed 
sizes.

The vulnerability is only reported to affect the software running on 
little endian platforms.

It is not known if this condition is due to a boundary condition error 
or if it may further be leveraged to execute arbitrary code.

21. Gentoo Portage-Built Webmin Binary Package Build Host Root P...
BugTraq ID: 12532
Remote: Yes
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12532
Summary:
It is reported that the Gentoo Portage-built Webmin binary package 
discloses the build host's root password to remote users.

Any users who build the affected Webmin binary and share it with other 
users are at a risk of compromise.

Gentoo app-admin/webmin packages prior to 1.170-r3 are vulnerable to 
this issue.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2005-02-08 to 2005-02-15.

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary: 

CoreGuard System profile

The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates 
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.

CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets 
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. KSB - Kernel Socks Bouncer 2.6.10
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary: 

KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects 
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26 
uses a character device to pass socks5 and target ips to the Linux 
Kernel. I have choosen to write in kernel space to enjoy myself [I know 
that there are easier and safer ways to write this in userspace].

2. DigSig 1.3.2
By: 
Relevant URL: http://sourceforge.net/projects/disec/
Platforms: Linux
Summary: 

DigSig Linux kernel load module checks the signature of a binary before 
running it.  It inserts digital signatures inside the ELF binary and 
verify this signature before loading the binary. Therefore, it improves 
the security of the system by avoiding a wide range of malicious 
binaries like viruses, worms, Torjan programs and backdoors from running on 
the system.

3. Firestarter 1.0.0
By: Tomas Junnonen
Relevant URL: http://www.fs-security.com/
Platforms: Linux
Summary: 

Firestarter is graphical firewall tool for Linux. The program aims to 
combine
ease of use with powerful features, serving both desktop users and 
administrators.

4. Network Equipment Performance Monitor 2.2
By: Nova Software, Inc.
Relevant URL: http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX, 
Windows 2000, Windows NT, Windows XP
Summary: 

NEPM is a very general, highly configurable, two part software system 
that monitors any type of logged data from IP networked equipment and 
reports it via E-mail and web pages. Current conditions and history from 
systems based on Windows NT/2000 and UNIX can be tracked and reported. 
Most major server, switch and router systems can be monitored, without 
running agents on the target systems.

5. BitDefender for qmail v1.5.5-2 
By: SOFTWIN <mmitu@bitdefender.com>
Relevant URL: http://www.bitdefender.com/bd/site/products.php?p_id=10
Platforms: Linux
Summary: 

BitDefender for qmail is a powerful antivirus software for Linux mail 
servers, which provides proactive protection of message traffic at the 
email server level, eliminating the risk to the entire network that 
could be caused by a negligent user. All messages, both sent and received, 
are scanned in real time, avoiding the possible infections and 
preventing anyone from sending an infected message. BitDefender claims 100% 
detection rate for all viruses in the wild (ITW) through its powerful 
scanning engines certified by the most prestigious testing labs (ICSA in 
February 2003, Virus Bulletin 100% in June 2003 and CheckMark in August 
2003).

6. Bilbo 0.11
By: Bart Somers
Relevant URL: http://doornenburg.homelinux.net/scripts/bilbo/
Platforms: FreeBSD, Linux
Summary: 

Bilbo is an automated, multithreaded nmap-scanner and reporter, capable 
of header fetching and matching the results against a database from 
previous scans.

VII. SPONSOR INFORMATION
-----------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------