August 17, 2019

Security Breach at Home of Linux Sourcecode

(LiveHacking.Com) – Kernel.org, the primary site for the Linux kernel source code, suffered a security breach that was discovered on August 28th. The hackers managed to gain root access to one of the servers and modify some of the ssh files. They also added a trojan startup file to the system start up scripts.

The key question is if the Linux source code was somehow modified to include back doors or vulnerabilities which would then be propagated to the various Linux distributions. The word from the system administrators is that the source code repositories were unaffected. But they are continuing to analyse the code within git, and the tarballs to confirm that nothing has been modified

The truth is that the potential damage of breaking into kernel.org is far less than typical software repositories. That’s because kernel development takes place using the git distributed revision control system. For each of the nearly 40,000 files in the Linux kernel, a SHA1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed.

Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of several thousand kernel developers and distribution maintainers. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.

Hardening MySQL with mysql_secure_installation

A default Linux MySQL installation isn’t necessarily secure but a hardening script called mysql_secure_installation comes with the MySQL server to increase the default security. To run it, open a terminal window and as root (either using sudo or su -) type: mysql_secure_installation and press Enter.

The script will guide you through several steps to lockdown the MySQL installation.

The first step is to set the root password. By default a root password isn’t set, so to set it, hit Enter when asked for the current password (meaning blank) and then set the password as directed. Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation.

By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account. The anonymous user is there just for testing. Type ‘y’ and hit Enter when asked to remove the anonymous user account.

To ensure that the root user can not login over the network (and allow root connections only from the local machine). Type ‘y’ and hit Enter when asked to disallow remote roots.

By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. To remove it type ‘y’ and hit Enter when asked.

And that is it, if you answered positively to all the steps above your MySQL installation should now be secure.

Running mysql_secure_installation is recommended for all MySQL servers in production use.

ISC’s DHCP Client Could Allow Remote Code Execution

The Internet Systems Consortium (ISC), a non-profit company which develops software for the infrastructure of the Internet (like BIND and DHCP), has released details of a new remote code execution vulnerability present in its dhclient software.

dhclient is ISC’s DHCP client and can be found on most Linux systems as well as other Unix-like platforms such as FreeBSD. When a machine is configured to use DHCP (Dynamic Host Configuration Protocol) the dhclient broadcasts a request asking for hostname and IP configuration information. A DHCP server will then reply with the corresponding information.

The problem is that dhclient does not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client. dhclient versions 3.0.x to 4.2.x are affected.

ISC have issued new versions of the software: 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1 which can be downloaded from here. No patch is available for 4.0.x as it has reached its end of life. Anyone running 4.1.x should upgrade to 4.1-ESV-R2.

If you don’t want to rebuild the software yourself you should consider the immediate workarounds given below or wait until your Linux distribution issues an update.

Immediate workarounds

On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME=”no” in /etc/sysconfig/network/dhcp. Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:

new_host_name=${new_host_name//[^-.a-zA-Z0-9]/}

NetBSD 5.1 Released: Highly Portable Unix-like Open Source operating system

The NetBSD development team has released NetBSD 5.1. According to NetBSD blog, NetBSD 5.1 is the first feature update of the NetBSD 5.0 release branch. It includes security and bug fixes, as well as improved hardware support and new features for this open source highly portable Unix-like operarting system.

Highlights of this version:

  • RAIDframe parity maps, which greatly improve parity rewrite times after unclean shutdown
  • X.Org updates
  • Support for many more network devices
  • Xen PAE dom0 support
  • Xen PCI pass-through support

More details are valaible at http://www.NetBSD.org/releases/formal-5/NetBSD-5.1.html.

NetBSD is a free, fast, secure, and highly portable Unix-like Open Source operating system. It is available for a wide range of platforms, from large-scale servers and powerful desktop systems to handheld and embedded devices. NetBSD is developed and supported by a large and vivid international community. Many applications are readily available through pkgsrc, the NetBSD Packages Collection.

NetBSD 5.1 is available to download here.

Source:[netbsd.org]

Red Hat: Vulnerability in OpenSSL

Red Hat released update packages for openssl that fix one security issue for Red Hat Enterprise Linux 6.The Red Hat Security Response Team has rated this update as having important security impact.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

[ad code=6 align=left]

With reference to Red Hat support forum, A race condition flaw has been found in the OpenSSL TLS server extension parsing code, which could affect some multithreaded OpenSSL applications. Under certain specific conditions, it may be possible for a remote attacker to trigger this race condition and cause such an application to crash, or possibly execute arbitrary code with the permissions of the application. (CVE-2010-3864)

Note, this issue does not affect the Apache HTTP Server. Refer to Red Hat Bugzilla bug 649304 for more technical details on how to determine if your application is affected.

This update is recommended to all OpenSSL users. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259

Mr. Rob Hulswit has reported this bug to Red Hat.

Unscheduled Security Update for Adobe Reader and Acrobat

The unscheduled security update for Adobe Reader and Acrobat to fixes more than 18 security holes. Here is the release note from Adobe Security Bulletin:

Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog (“Potential issue in Adobe Reader“), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-26.

[ad code=6 align=left]

Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.

Note that these updates represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

Please visit Adobe Security Bulletins for more information about this update.

Source:[Adobe Security Bulletins]

Security Update: HAVP Anti Virus Proxy

HAVP (HTTP Anti virus Proxy) has released a security update for its open source anti virus proxy. HAVP is a proxy with a ClamAV anti-virus scanner. It provides continuous, non-blocking downloads and smooth scanning of dynamic and password protected HTTP traffic.

HAVP anti-virus proxy operates in a parent and transparent proxy mode and It could be used with squid or standalone.

Features:

  • HTTP Anti virus proxy
  • Multiple scanner support at the same time
  • Scans complete incoming traffic
  • Non Blocking downloads
  • Smooth scanning of dynamic and password protected traffic
  • Can used with squid or other proxy
  • Parent proxy support
  • Transparent proxy support
  • Logfile
  • Process change to defined user and group
  • Daemon
  • Use Clamav (GPL antivirus)
  • Operating System: Linux
  • Written in C++
  • Released under GPL

Read more about HAVP here.

Update For ProFTPD FTP server

ProFTPD team released ProFRPD version 1.3.3c.The ProFTPD server is a configurable GPL-licensed FTP server software for Linux and Unix based operating systems. With reference to ProFTPD release note, the following bugs have been addressed in this version:

- Bug 3511 - SQLAuthType Backend not properly rejected by mod_sql_sqlite.
- Bug 3513 - EPERM error logged unnecessarily for SFTP logins on Linux.
- Bug 3517 - mod_quotatab decrements file tally improperly for failed DELE
  commands.
- Bug 3518 - Support SiteMiscEngine directive, for disabling mod_site_misc
  functionality via proftpd.conf.
- Bug 3519 - Inappropriate directory traversal allowed by mod_site_misc.
- Bug 3521 - Telnet IAC processing stack overflow.

This popular and secure FTP server has been used by many high traffic websites such as SourceForge, Linksys, Slackware, ibiblio.org and many more.

PacketFence 1.9.1 released

[ad code=6 align=left]
PacketFence 1.9.1 released, this release is considered ready for production use. PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system.

Here are the noteworthy changes since 1.9.0.

New Hardware Support

  • Extreme XOS Port Security (MAC address lockdown) and Voice over IP support (feature sponsored by Extreme Networks)
  • Nortel ERS 2500 Series Port security and Voice over IP support

New Features

  • Basic Access Control in the Web Administration interface (#965, Thanks to eSubnet Enterprises for their initial contribution)
  • New parameters in switches.conf to manage Web Services enabled switches

Enhancements

  • Captive portal performance improvements. Up to 23x on some workloads (#879)
  • More than 35 new DHCP fingerprints (Thanks to Eric Kollmann and Sam Winottai!)
  • Improved Nessus failed scan error reporting (partial fix for #1032)
  • Better error reporting on Cisco ISR 1800
  • Added some documentation for Cisco (2960, 3550) and Aruba in the SNMP modules
  • Documented performance optimization regarding blocking non-browser requests in the captive portal (#1072)
  • Avoiding unnecessary load where a lot of non-trap violation are used (#857)
  • Updated (for clarification purpose) documentation for Cisco stacked and 4500 Series switches. (#1037)
  • Error handling and error messages improvements (#1052)
  • Updated documentation for FreeRadius 1.x and added some for 2.x. (#1036)

Bug fixes

  • Node categories related fixes (#1063, #1056)
  • Deleting a node no longer breaks paging in Web Admin (#1055)
  • Max number of node per user is enforced more consistently (#1057)
  • RPM packaging fixes (#1047)
  • Misc fixes (#1068)

Source: [http://www.packetfence.org/news/2010/article/packetfence-191-released.html]

[ad code=2 align=center]

Canonical and others close kernel holes

Canonical has released updated kernels for Ubuntu versions 10.04 LTS, 9.10, 9.04, 8.04 LTS and 6.06 LTS to close the recently discovered holes in the Linux kernel. The updates are also for the equivalent versions of Kubuntu, Edubuntu and Xubuntu and should be available through Ubuntu’s Software Update system.

Read the full article here.

Source:[TheHSecurity]