IDGNet Virus & Security Watch Friday 28 March 2003

This issue's topics: Introduction: * Windows RPC, MySQL, Kerberos, Samba & Linux kernel patches; Iraqi war viruses Virus News: * Ganda virus writer arrested in Sweden * Remember the Iraqi printer virus? Security News: * Patch for Windows RPC endpoint mapper; NT 4.0 to be left vulnerable * MySQL privilege elevation bug fixed * Updates fix multiple Kerberos v4 protocol flaws * Remote root access in Samba packet reassembly code fixed * Linux ptrace local privilege elevation prompts kernel upgrade * CIS updates, adds new security benchmark and scoring tools

This issue's topics:

Introduction:

* Windows RPC, MySQL, Kerberos, Samba & Linux kernel patches; Iraqi war viruses

Virus News:

* Ganda virus writer arrested in Sweden

* Remember the Iraqi printer virus?

Security News:

* Patch for Windows RPC endpoint mapper; NT 4.0 to be left vulnerable

* MySQL privilege elevation bug fixed

* Updates fix multiple Kerberos v4 protocol flaws

* Remote root access in Samba packet reassembly code fixed

* Linux ptrace local privilege elevation prompts kernel upgrade

* CIS updates, adds new security benchmark and scoring tools

Introduction:

Several more recent, serious Unix and/or Linux vulnerabilities are covered in this week's issue, as is the latest patch from Microsoft. Although the service affected is not designed for exposure to potentially 'hostile' networks and should be firewalled anyway, Microsoft's refusal to do the substantial operating system kernel re-engineering work it claims is necessary to fix the problem on NT has upset a lot of folk.

On the non-patching side of security, CIS bets practices guides and the tools to test they have been effectively implemented have been enhanced. Updated versions of the Solaris and Cisco IOS guides, and the addition of Windows 2000 Server to the Windows 2000 guides and test tools have been added in the last few weeks.

On the virus front, things have been pretty quiet (if you can ignore the ongoing storm of Klez.H outside your network). A Swedish man has copped charges for writing and distributing Ganda, the e-mail worm we mentioned last week that had apparently been trying to improve its chances by offering Iraqi War material. All this talk of Iraq wars and viruses, and recent interest by some in so-called 'cyberwar' technologies has stirred up memories for George Smith too, and he has written an interesting recap of some virus-related nonsense from the first Iraq war...

Virus News:

* Ganda virus writer arrested in Sweden

A Swedish man, questioned by local authorities in relation to his involvement in writing or releasing the Win32/Ganda self-mailing virus (see last week's newsletter) has admitted both writing and initially distributing the e-mail worm.

Although the man has not been arrested, he will soon face charges of computer trespassing and inflicting damage.

Suspected Iraq-war-virus creator detained in Sweden - usatoday.com

* Remember the Iraqi printer virus?

You remember? Surely! It took out the Iraqi air defence system during the first 'Iraq war'.

Well, actually, it was an April Fool's joke that backfired on a few media sources who failed to spot the humour and the obvious (to a techie) impossibilities attributed to it. They also must have failed to do any corroboration, accepting that as it was reported by one media outlet (Infoweek) it must have been kosher.

All the recent media focus on the current Iraq war has apparently stirred up old memories for long-time virus and antivirus scene observer and writer, George Smith. We link to one of Smith's recent articles revisiting this story and pondering why such hoaxes are successful.

Iraqi Cyberwar: an Ageless Joke - securityfocus.com

Security News:

* Patch for Windows RPC endpoint mapper; NT 4.0 to be left vulnerable

An RPC endpoint mapper flaw has been patched by Microsoft. As this vulnerability reportedly 'only' allows a denial of service attack and even then, only from the Internet if normal best-practices have nor been followed, Microsoft has rated this as being of 'important' severity - code for 'consider patching it if you are necessarily exposed but consider waiting for the next service patch otherwise'.

Systems running NT 4.0, Windows 2000 and XP are vulnerable. However, Microsoft claims that due to the complexities of rewriting large chunks of the NT 4.0 OS to make them more like the newer Windows 2000 and XP systems, it has decided to not issue an update for NT 4.0. Administrators still managing NT 4.0 systems are recommended to implement the workarounds described in the security bulletin although these are not entirely satisfactory for situations where the LAN itself, or parts of it, have to be considered 'potentially hostile'.

Microsoft Security Bulletin MS03-010

* MySQL privilege elevation bug fixed

Under a typical MySQL installation, an ordinary user can change a world-writable configuration file and have the database daemon run as the root (or any other) user when it is next (re)started. This privilege elevation bug has been fixed in release 3.23.56. MySQL is shipped with many popular Linux distributions and update packages for these are available from the usual places.

Archived Bugtraq list message - securityfocus.com

Changes in release 3.23.56 - www.mysql.com

* Updates fix multiple Kerberos v4 protocol flaws

About ten days ago news of a critical weakness in cryptographic routines in version 4 of the Kerberos protocol, potentially exposing the whole Kerberos authentication infrastructure to subversion, were leaked to a security e-mail list. The flaw, which affects all Kerberos version 4 (krb4) implementations and any krb5 systems with krb4 translation services enabled can allow attackers to forge their own authentication tickets to impersonate any user in a Kerberos realm and to takeover the KDC.

In response to the leak, MIT released its advisory despite many vendors not then being ready to release their updates. Most of the large vendors have now released updated packages. Administrators of affected systems should check the availability with their vendor(s) or from the CERT Coordination Center page covering this vulnerability, linked below.

Cryptographic weaknesses in Kerberos v4 protocol - mit.edu

Cryptographic weakness in Kerberos Version 4 protocol - cert.org

* Remote root access in Samba packet reassembly code fixed

Sebastian Krahmer of the SuSE security audit team uncovered a buffer overflow in the SMB/CIFS packet reassembly code in smbd. If exploited this could allow a possibly remote attacker to gain the root privileges of the smbd process on the Samba server machine. Previous versions of Samba, from 2.0.x to 2.2.7a inclusive are known to be vulnerable to this attack, so anyone running any of those versions should obtain and install the latest update.

The Samba Team has released Samba 2.2.8 and most popular Unix and Linux distributions that include this package have now released updates.

Samba 2.2.8 release announcement - samba.org

* Linux ptrace local privilege elevation prompts kernel upgrade

Most Linux distributions have shipped 2.2.25 and/or 2.4.21 kernels to address a critical local privilege elevation flaw. Any local user on previous kernel versions could grab root privileges due to the way privileges were granted to processes spawned for loading kernel modules if ptrace was available to the user (and it is in most default Linux installations).

Check with your distributor(s) for kernel update packages. We have linked to an archived copy of a message sent to the linux-kernel mailing list by Alan Cox (which includes diff-style patches).

Archived linux-kernel list message - theaimsgroup.com

* CIS updates, adds new security benchmark and scoring tools

We have occasionally mentioned in previous newsletters the Center for Internet Security (CIS) programs developing agreed 'best practices' for installing and configuring various popular computer systems and network security devices. As this is an ongoing project, and the 'standards' it is defining change, new and updated guides and tools should be expected to emerge.

And so they do... A couple of weeks ago CIS posted the most recent updates to its Solaris and Cisco IOS Router benchmarks and scoring tools. Perhaps even more sought after though are the Windows 2000 Server benchmarks and scoring tools, as the workstation versions of these have been available from quite some time.

Center for Internet Security homepage - cisecurity.org

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaCiscoLANLinuxMicrosoftMITMySQLSuse

Show Comments
[]