Security watch

Read about the latest developments in security every month in Security Watch

Double-Free Bug in CVS Server
A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow an unauthenticated, remote attacker with read-only access to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service.

Description
CVS is a version control and collaboration system that is widely used by open-source software development projects. CVS is commonly configured to allow public, anonymous, read-only access via the Internet.

Deallocating the already freed memory leads to heap corruption, which an attacker could leverage to execute arbitrary code, alter the logical operation of the CVS server program, or read sensitive information stored in memory. In most cases, heap corruption will result in a segmentation fault, causing a denial of service. The CVS server process is typically started by the Internet services daemon and runs with root privileges. Arbitrary code inserted by an attacker would therefore run with root privileges.

Impact
There is a significant secondary impact. An attacker who is able to compromise a CVS server could modify source-code repositories to contain Trojan horses, backdoors, or other malicious code.

Systems Affected
- Systems running CVS Home project versions of CVS prior to 1.11.5
- Operating system distributions that provide CVS
- Source code repositories managed by CVS

Solution/Patches
Apply the appropriate patch or upgrade specified by your vendor.

Disable or restrict anonymous CVS access
As a temporary solution until patches or upgrades can be applied, or to improve the security of CVS servers in the long term:

• Disable anonymous CVS server access completely.
• Block or restrict access to CVS servers from untrusted hosts and networks. Anonymous access to CVS servers using :cvspserver: is typically provided on port 2401/tcp.
• Configure CVS servers to run in restricted (chroot) environments.
• Host CVS servers on single-purpose, secured systems.

These workarounds and configurations are not complete solutions and will not prevent exploitation of this vulnerability. Other features inherent in CVS may give anonymous users the ability to gain shell access.

Vendor Information

Conectiva
Conectiva Linux is affected by this issue and updated packages are available at: atualizacoes.conectiva.com.br/

Debian
Debian has updated their distribution with DSA 233.
www.debian.org/security/2003/dsa-233

For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-8.1.
For the old stable distribution (potato) this problem has been fixed in version 1.10.7-9.2.
For the unstable distribution (sid) this problem will be fixed soon.

Red Hat, Inc.
Red Hat Linux and Red Hat Linux Advanced Server shipped with a CVS package is vulnerable to these issues. New CVS packages are now available along with the advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux Advanced Server: rhn.redhat.com/errata/RHSA-2003-013.html
Red Hat Linux: rhn.redhat.com/errata/RHSA-2003-012.html

Sun Microsystems Inc.
Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun does provide CVS on the Solaris Companion CD: wwws.sun.com/software/solaris/freeware/index.html as an unsupported package which installs to /opt/sfw and is vulnerable to this issue. Sites using the freeware version of CVS from the Solaris Companion CD will have to upgrade to a later version from CVS Home.

Remote Buffer Overflow in Sendmail
There is a vulnerability in sendmail that may allow remote attackers to gain the privileges of the sendmail daemon, typically root.

Description
Researchers at Internet Security Systems (ISS) discovered a remotely exploitable vulnerability in sendmail. This vulnerability could allow an intruder to gain control of a vulnerable sendmail server. Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many Unix and Linux workstations provide a sendmail implementation that is enabled and running by default. A successful attack against an unpatched sendmail system will not leave any messages in the system log. However, on a patched system, an attempt to exploit this vulnerability will leave the following log message:

Dropped invalid comments from header address
Although this does not represent conclusive evidence of an attack, it may be useful as an indicator.
A patched sendmail server will drop invalid headers, thus preventing downstream servers from receiving them.

Systems Affected
Sendmail Pro (all versions)
Sendmail Switch 2.1 prior to 2.1.5, 2.2 prior to 2.2.5, 3.0 prior to 3.0.3
Sendmail for NT 2.X prior to 2.6.2, NT 3.0 prior to 3.0.3
Systems running open-source sendmail versions prior to 8.12.8, including Unix and Linux systems

Solution/Patches
Apply a patch from Sendmail
Sendmail has produced patches for versions 8.9, 8.10, 8.11, and 8.12. However, the vulnerability also exists in earlier versions of the code; therefore, site administrators using an earlier version are encouraged to upgrade to 8.12.8. These patches are located at

• ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch
• ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch
• ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch

Enable the RunAsUser option
There is no known workaround for this vulnerability. Until a patch can be applied, you may set the RunAsUser option to reduce the impact of this vulnerability.

Vendor Information

Apple Computer, Inc
Security Update 2003-03-03 is available to fix this issue. Packages are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be noted that sendmail is not enabled by default on Mac OS X, so only those systems which, have explicitly enabled it are susceptible to the vulnerability. All customers of Mac OS X, however, are encouraged to apply this update to their systems.

IBM Corporation
The AIX operating system is vulnerable to the sendmail issue.
A temporary patch is available through an efix package which can be found at: ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z

The Sendmail Consortium
The Sendmail Consortium suggests that sites upgrade to 8.12.8 if possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on www.sendmail.org/

Sun Microsystems
Solaris 2.6, 7, 8 and 9 are vulnerable
Sun will be publishing a Sun Alert for the issue at the following location shortly:
sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/51181

The patches listed in the Sun Alert will be available from: sunsolve.sun.com/securitypatch