≡ Menu

attacker

Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause applications linked against pcre3 to crash, leading to a denial of service.

A security issue affects the following Ubuntu releases for CVE-2008-2371:

=> Ubuntu 6.06 LTS
=> Ubuntu 7.04
=> Ubuntu 7.10
=> Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

How do I fix this issue?

Type the following two commands, enter:
$ sudo apt-get update
$ sudo apt-get upgrade

Red Hat has issues urgent security update for rhpki package -- the Red Hat PKI Common Framework. This update has been rated as having important security impact by the Red Hat Security Response Team.

Red Hat Certificate System (RHCS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. rhpki-common -- the Red Hat PKI Common Framework -- is required by the following four RHCS subsystems: the Red Hat Certificate Authority; the Red
Hat Data Recovery Manager; the Red Hat Online Certificate Status Protocol Manager; and the Red Hat Token Key Service.

A flaw was found in the way Red Hat Certificate System handled Extensions in the certificate signing requests (CSR). All requested Extensions were added to the issued certificate even if constraints were defined in the Certificate Authority (CA) profile. An attacker could submit a CSR for a
subordinate CA certificate even if the CA configuration prohibited subordinate CA certificates. This lead to a bypass of the intended security policy, possibly simplifying man-in-the-middle attacks against users that trust Certificate Authorities managed by Red Hat Certificate System.

How do I update my system?

Simply type the following command:
# yum update
Sample output:

Loading "rhnplugin" plugin
Loading "security" plugin
rhel-x86_64-server-vt-5   100% |=========================| 1.2 kB    00:00
rhel-x86_64-server-5      100% |=========================| 1.2 kB    00:00
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package yelp.x86_64 0:2.16.0-19.el5 set to be updated
---> Package nspr.i386 0:4.7.1-1.el5 set to be updated
---> Package nspr.x86_64 0:4.7.1-1.el5 set to be updated
---> Package nss.i386 0:3.12.0.3-1.el5 set to be updated
---> Package nss-tools.x86_64 0:3.12.0.3-1.el5 set to be updated
---> Package nss.x86_64 0:3.12.0.3-1.el5 set to be updated
---> Package xulrunner.x86_64 0:1.9-1.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Updating:
 nspr                    i386       4.7.1-1.el5      rhel-x86_64-server-5  119 k
 nspr                    x86_64     4.7.1-1.el5      rhel-x86_64-server-5  117 k
 nss                     i386       3.12.0.3-1.el5   rhel-x86_64-server-5  1.1 M
 nss                     x86_64     3.12.0.3-1.el5   rhel-x86_64-server-5  1.1 M
 nss-tools               x86_64     3.12.0.3-1.el5   rhel-x86_64-server-5  2.2 M
 xulrunner               x86_64     1.9-1.el5        rhel-x86_64-server-5   10 M
 yelp                    x86_64     2.16.0-19.el5    rhel-x86_64-server-5  583 k
Transaction Summary
=============================================================================
Install      0 Package(s)
Update       7 Package(s)
Remove       0 Package(s)
Total download size: 16 M
Is this ok [y/N]: y
Downloading Packages:
(1/7): xulrunner-1.9-1.el 100% |=========================|  10 MB    00:09
(2/7): nss-3.12.0.3-1.el5 100% |=========================| 1.1 MB    00:00
(3/7): nss-tools-3.12.0.3 100% |=========================| 2.2 MB    00:02
(4/7): nss-3.12.0.3-1.el5 100% |=========================| 1.1 MB    00:00
(5/7): nspr-4.7.1-1.el5.x 100% |=========================| 117 kB    00:00
(6/7): nspr-4.7.1-1.el5.i 100% |=========================| 119 kB    00:00
(7/7): yelp-2.16.0-19.el5 100% |=========================| 583 kB    00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating  : nspr                         ####################### [ 1/14]
  Updating  : nss                          ####################### [ 2/14]
  Updating  : xulrunner                    ####################### [ 3/14]
  Updating  : nspr                         ####################### [ 4/14]
  Updating  : yelp                         ####################### [ 5/14]
  Updating  : nss-tools                    ####################### [ 6/14]
  Updating  : nss                          ####################### [ 7/14]
warning: /etc/pki/nssdb/cert8.db created as /etc/pki/nssdb/cert8.db.rpmnew
warning: /etc/pki/nssdb/key3.db created as /etc/pki/nssdb/key3.db.rpmnew
  Cleanup   : yelp                         ####################### [ 8/14]
  Cleanup   : nspr                         ####################### [ 9/14]
  Cleanup   : nspr                         ####################### [10/14]
  Cleanup   : nss                          ####################### [11/14]
  Cleanup   : nss-tools                    ####################### [12/14]
  Cleanup   : nss                          ####################### [13/14]
  Cleanup   : xulrunner                    ####################### [14/14]
Updated: nspr.i386 0:4.7.1-1.el5 nspr.x86_64 0:4.7.1-1.el5 nss.i386 0:3.12.0.3-1.el5 nss.x86_64 0:3.12.0.3-1.el5 nss-tools.x86_64 0:3.12.0.3-1.el5 xulrunner.x86_64 0:1.9-1.el5 yelp.x86_64 0:2.16.0-19.el5
Complete!

A security issue affects the following Ubuntu releases:

=> Ubuntu 6.06 LTS
=> Ubuntu 7.04
=> Ubuntu 7.10
=> Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller,
a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572)

Alin Rad Pop of Secunia Research discovered that Samba did not properly perform bounds checking when parsing SMB replies. A remote attacker could send crafted SMB packets and execute arbitrary code. (CVE-2008-1105)

How do I fix this issue?

Login as root and type the following two commands:
$ sudo apt-get update
$ sudo apt-get upgrade

Understanding Forensics

Forensics is the art and science of applying computer science to aid the legal process. Linux journal has published a nice introduction to Forensics:

A break-in can happen to any system administrator. Find out how to use Autopsy and Sleuthkit to hit the ground running on your first forensics project.

There are certain aspects to system administration that you can learn only from experience. Computer forensics (among other things the ability to piece together clues from a system to determine how an intruder broke in) can take years or even decades to master. If you have never conducted a forensics analysis on a computer, you might not even know exactly where to start. In this guide, I cover how to use the set of forensics tools in Sleuthkit with its Web front end, Autopsy, to organize your first forensics case.

One of the most common scenarios in which you might want to use forensics tools on a system is the case of a break-in. If your system has been compromised, you must figure out how the attacker broke in so you can patch that security hole. Before you do anything, you need to make an important decision—do you plan to involve law enforcement and prosecute the attacker?

=> Introduction to Forensics

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.

if Half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Syn flood is common attack and it can be block with following iptables rules:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN

All incoming connection are allowed till limit is reached:

  • --limit 1/s: Maximum average matching rate in seconds
  • --limit-burst 3: Maximum initial number of packets to match

Open our iptables script, add the rules as follows:

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT

First rule will accept ping connections to 1 per second, with an initial burst of 1. If this level crossed it will log the packet with PING-DROP in /var/log/message file. Third rule will drop packet if it tries to cross this limit. Fourth and final rule will allow you to use the continue established ping request of existing connection.
Where,

  • ‐‐limit rate: Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.
  • ‐‐limit‐burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

You need to adjust the –limit-rate and –limit-burst according to your network traffic and requirements.

Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute:

iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

See also:

More information on recent patch can be found here