Open Source

Red Hat offers patches for sudo, Kerberos, and ntpd

In this edition of his Locksmith column, John McCormick outlines important bug information for those who run Linux. As usual, he'll tell you who's affected, how to fix it, and where to go for more information.


Sudo (superuser do), a secure administrative access tool for Linux, poses a known buffer overrun threat, but a recently posted update fixes the problem. Sudo is freeware distributed under a BSD-style license.

Red Hat describes the problem as follows: “The code splitting a log entry into smaller chunks contained an overrunnable buffer. Carefully constructed long commands could lead to execution of code as root. There is no known exploit at this time.”

Applicability
This sudo problem applies to Red Hat Linux 7.0—alpha, i386, and also to other brands or versions of Linux that use sudo, including:

Fix
Red Hat Security Advisory RHSA-2001:018-02 details this sudo bug, and the patch provides the information you need to make repairs.

Sudo background
The Sudo home page contains links to sudo documentation and other useful information, including a troubleshooting FAQ.

Most administrative tasks in Linux require root access. A major weakness in Linux is that while many tasks require root access, the built-in tools to manage and restrict this access are weak.

For example, su is the shell command that allows a user to run as another user (in this case, one with root access), but to give this access, the password associated with this user must be distributed to anyone you want to grant root access to. Other similar tools give a bit more protection but don’t really provide robust security.

The purpose of sudo is to provide the Linux sysadmin with the ability to grant limited root privileges to specific users. According to sudo’s maintainer, Todd C. Miller, “The basic philosophy [behind sudo] is to give as few privileges as possible but still allow people to get their work done.”

Sudo grants a user setuid access to a program, and it’s possible to specify which hosts the user can log in from, greatly improving security. Sudo also provides other secure features. Since sudo is available for most Linux distributions and using it allows managers to define groups of hosts, commands, and users, it greatly simplifies administration and is thus a popular addition.

Kerberos IV update
Kerberos is the MIT-developed user authentication protocol used by many operating systems, including UNIX, Linux, and Windows. Red Hat security notice RHSA-2001:025-14 describes a problem with Kerberos IV ticket files. According to the notice, libkrb4 could “allow a malicious user to cause kerberized login services to overwrite the contents of any file on the system. The destroyed file would contain the Kerberos credentials of an unsuspecting user who had attempted to log in using the kerberized login service being exploited.”

Applicability
  • Red Hat Linux 6 and 7

  • Fix
    Upgrade to krb5-1.2.2 or, if this isn’t practical, install the Kerberos krb5-1.2.1 patches. According to the MIT advisory, patches for earlier versions may be generated and made available if requested.

    For further information on unsafe temporary file handing in Kerberos IV, see http://web.mit.edu/kerberos/www/advisories/krb4tkt.txt. For general Kerberos information, see http://web.mit.edu/kerberos/www/index.html.

    Ntpd (Network Time Daemon) and xntpd buffer overflow
    The Network Time Daemon code released with all versions of Red Hat Linux fails to properly check the size of a buffer used to hold incoming data, leading to a potential buffer overflow vulnerability that could allow a remote attacker to gain root-level access to systems.

    Applicability
  • All users of ntpd (Red Had Linux 7.0) and xntpd on Red Hat Linux 6.2 and earlier

  • Since the Network Time Daemon isn’t enabled by default, the vulnerability is no danger on systems where it isn’t used, unless it was installed by mistake.

    Fix
    Don’t install the Network Time Daemon if you don’t use that service. If you do use the daemon, see the Red Hat Security Advisory RHSA-2001:045-05 for patch information and links.

    Have you patched your Linux systems?
    We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

     

    Editor's Picks

    Free Newsletters, In your Inbox