A vulnerability that can result in a Denial of Service event, privilege escalation, or remote system access has been shown to exist in two popular UNIX brands: NetBSD and OpenBSD. Patches are already available for the affected operating systems. There are also new versions of each OS that aren't affected by the flaw. And for users of early versions of OpenBSD, there is a new component available that allows them to simply rebuild rather than upgrade to a later version.
Researchers Janusz Niewiadomski and Wojciech Purczynski at iSEC Security Research discovered that the realpath() function versions used in a number of operating system versions are vulnerable to an "off-by-one" error. To exploit the flaw, an attacker must use an application to send a resolved path exactly 1,024 bytes in length to realpath(), which is the function that returns canonicalized absolute path names (i.e., it takes pathnames and removes all special characters). The original report was designated NetBSD-SA2003-011.
The current build of NetBSD prior to Aug. 4, 2003, has a vulnerable version of realpath(), as do the following versions:
- NetBSD 1.6.1
- NetBSD 1.6
The same vulnerability is also found in:
- OpenBSD 3.2
- OpenBSD 3.3
Risk level—highly critical
This threat poses multiple risks, as described above. Each of the risks is quite dangerous.
Fix—patch or update OS version
The NetBSD patch is available now, as is the next version of NetBSD, which is free from the flaw. The next version of OpenBSD (which is also free from the flaw) is available, along with patches for the 3.2 and 3.3 stable branches. There is one patch for version 3.2 and a different patch for OpenBSD 3.3. You can use a new version of realpath() to rebuild versions prior to 3.2.
If you have NetBSD or OpenBSD systems affected by this vulnerability, you should move to quickly patch or upgrade due to the severity of the risk involved.
Also watch out for…
- A recent report reminds IT folks that memory sticks can carry viruses and other malware just as floppy diskettes can. Although I believe the threat is possible, you should take this with a grain of salt since the report comes from SecureWave, which just happens to sell SecureNT, a product that locks down USB ports.
- Linux—specifically SuSE Linux installed on IBM hardware—just received a Common Criteria (CC) security certification. The bad news is that the tested product got only a low-to-moderate security rating. Comparatively, last year, Windows 2000 was rated moderate-to-high. Here's a link to this report, which comes from a Windows-oriented Web site. The testing itself wasn't done by Windows folks—it was sponsored by IBM in an attempt to win a high rating for its installations.
- Qualys, a security service for enterprises, has instituted a real-time vulnerability list that tracks the vulnerabilities that are most dangerous and that are being encountered most often by Qualys customers. In other words, this vulnerability list shows which dangerous vulnerabilities are actually being exploited on a real-time basis.
- Open Source Forge has released a report on the Linux 2.6 kernel that indicates that the new version of the kernel has addressed security concerns that some IT shops have had about Linux.
- According to a report by SecurityTracker, a hacker using the handle CyberTalon has reported a serious to critical flaw in Mollensoft FTP Server 3.x that allows local users to see other usernames and passwords. The cause is simple: The information is stored in plain text in the user directory.