From security@guardiandigital.com Sat Jun 30 04:51:33 2001 From: EnGarde Secure Linux X-Sender: security@mastermind.inside.guardiandigital.com To: engarde-security@guardiandigital.com, bugtraq@securityfocus.com Date: Fri, 29 Jun 2001 09:59:31 -0400 (EDT) Subject: [ESA-20010621-01] xinetd updates -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory June 21, 2001 | | http://www.engardelinux.org/ ESA-20010621-01 | | | | Package: xinetd | | Summary: There are various bugs and security issues in the version of | | xinetd that shipped with EnGarde Secure Linux 1.0.1. | +------------------------------------------------------------------------+ EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. OVERVIEW - -------- There are bugs (both security and non-security) in xinetd. The non-security bug causes xinetd to fail after the first connection attempt and the security bug can potentially lead to a root comprimise via a buffer overflow. DETAIL - ------ The first bug is a non-security one. There were several reports on the engarde-users mailing list of vsftpd only accepting the first connection and dropping all subsequent ones. The users had a "Bad address" entry from xinetd in their logs. Rob Braun explains this problem: "The specific bug is in libs/src/misc/env.c, in the environment handling. The grow() function does a realloc() to extend the existing memory. The memory returned by realloc() is in an undefined state, and that's what is causing the bad address." This bug was fixed by upgrading to version 2.1.8.9pre15. The other bugs are as follows: 1) xinetd was setting its umask to 0. Thus, any children of xinetd would inherit this umask. This is not much of a security issue because the only service that is run out of xinetd is vsftpd, which sets its own umask (027 by default). 2) There was a buffer overflow in the logging code that could potentially allow a remote attacker to obtain root privileges by sending a very long username string in response to an ident request. This bug was found by zen-parse@gmx.net. Both of these bugs were fixed by upgrading to version 2.1.8.9pre16. Additionally, this version disables ident checking by default in xinetd.conf. If you would like to disable ident checking completely (which is recommended), you should remove the "USERID" option from the "log_on_success" and "log_on_failure" lines of /etc/xinetd.d/ftp. SOLUTION - -------- All users should upgrade to the most recent version, as outlined in this advisory. All updates can be found at: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/ Before upgrading the package, the machine must either: a) be booted into a "standard" kernel; or b) have LIDS disabled. To disable LIDS, execute the command: # /sbin/lidsadm -S -- -LIDS_GLOBAL To install the updated package, execute the command: # rpm -Uvh Once the updated package is installed, you need to restart xinetd: # /etc/init.d/xinetd restart To re-enable LIDS (if it was disabled), execute the command: # /sbin/lidsadm -S -- +LIDS_GLOBAL To verify the signature of the updated packages, execute the command: # rpm -Kv UPDATED PACKAGES - ---------------- These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra). Source Packages: SRPMS/xinetd-2.1.8.9pre16-1.0.17.src.rpm MD5 Sum: 118787db019ca76f44dc00cdca67c36e Binary Packages: i386/xinetd-2.1.8.9pre16-1.0.17.i386.rpm MD5 Sum: a48c022c82055db97f415f3f18bdefcf i686/xinetd-2.1.8.9pre16-1.0.17.i686.rpm MD5 Sum: cc3e2a218918a1ff2c107b68d7cbe8b2 REFERENCES - ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY xinetd's Official Web Site: http://www.xinetd.org/ - -------------------------------------------------------------------------- $Id: ESA-20010621-01-xinetd,v 1.2 2001/06/29 13:56:38 rwm Exp $ - -------------------------------------------------------------------------- Author: Ryan W. Maple, Copyright 2001, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7PInLHD5cqd57fu0RAgkGAJ0ReyjI3b+hz9tQBJWFedmkd+u1GgCfcFVh K2dMdDUDg2TQaPr3sHkRR/E= =3Xm5 -----END PGP SIGNATURE-----