400K+ Exim MTA affected by overflow vulnerability on Linux/Unix

Posted on in Categories Linux News, Security last updated March 8, 2018

Exim is a free and open source message transfer agent (MTA) developed at the University of Cambridge. It is famous on Unix and Linux systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. There is a buffer overflow in base64d() of Exim MTA that allows an attacker to run code remotely. ALL versions of Exim MTA affected by overflow vulnerability i.e. CVE-2018-6789.
Continue reading “400K+ Exim MTA affected by overflow vulnerability on Linux/Unix”

Book Review: SSH Mastery – OpenSSH, PuTTY, Tunnels & Keys

Posted on in Categories Open Source, Reviews, Security last updated March 6, 2018

Book Review: SSH Mastery
OpenSSH needs no introduction. OpenSSH is a free and open source suite of security-related software based on the SSH protocol. OpenSSH provides secure network communication and tunneling capabilities. OpenSSH gives peace of mind when communicating with Linux or Unix-like server over the Internet on the insecure network.

SSH is essential for both sysadmins and developers. The book “SSH Mastery” (2nd ed) talks about OpenSSH server, clients, encryption, public/private keys, VPNs and other security-related network-level utilities based on the Secure Shell SSH protocol.

OpenSSL drops TLS 1.0/1.1 support for Debian Unstable and what does it mean for Debian sid users?

Posted on in Categories Debian Linux last updated August 7, 2017

From the announcement mailing list:

I’ve just uploaded a version of OpenSSL to unstable that disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version.

This will likely break certain things that for whatever reason still don’t support TLS 1.2. I strongly suggest that if it’s not supported that you add support for it, or get the other side to add support for it.

OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don’t need to enable them again.

Patch your FreeBSD server for openssh vulnerabilities [11/Jan/2017]

Posted on in Categories Link last updated January 11, 2017

OpenSSH is critical for both sysadmin and programmers. It is an implementation of the SSH protocol suite, from OpenBSD project. It provides an encrypted session to your server.

OpenSSH multiple vulnerabilities

OpenSSH has multiple vulnerabilities as of 11th January 2017 running on FreeBSD operating system. From the advisory:

The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009]

When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of ‘root’ instead of the authenticated user. [CVE-2016-10010]

Solution

I updated my vulnerable FreeBSD box via a binary patch:
# freebsd-update fetch
# freebsd-update install
# service sshd restart
# ps aux | grep -i ssh-agent

If found any ssh-agent process, kill all running ssh-agent:
# killall ssh-agent

Fig.01: Fixed FreeBSD-SA-17:01.openssh
Fig.01: Fixed FreeBSD-SA-17:01.openssh

For more info see FreeBSD security mailing list.

Why HTTPS for Everything?

Posted on in Categories Link last updated January 6, 2017

HTTPS enables privacy and integrity by default. It is going to be next big thing. The internet’s standards bodies, web browsers, major tech companies, and the internet community of practice have all come to understand that HTTPS should be the baseline for all web traffic. Ultimately, the goal of the internet community is to establish encryption as the norm, and to phase out unencrypted connections. Investing in HTTPS makes it faster, cheaper, and easier for everyone.

Free SSL certificate for all

You can get your free ssl cert with Let’s Encrypt project. It is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption. See how to configure and use Let’s Encrypt TLS on a Ubuntu or Debian Linux:

In this tutorial, I will explain how to use Let’s Encrypt to install a free SSL certificate for Nginx web server along with how to properly deploy Diffie-Hellman on your nginx server to get SSL labs A+ score.

Touch ID Support for sudo in MacOS Terminal for MacBook Pro

Posted on in Categories Link last updated October 31, 2016

Well, that was fast. Touch ID is a fingerprint recognition security feature, designed and released by Apple. It is currently available on the iPhone 5s/6/7 and Macbook pro-2016 editions. Many consider it as a huge security win for the MacBook Pro’s. This sounds amazing feature for command line users.

Say hello to sudo-touchid

sudo-touchid is a fork of sudo with Touch ID support on macOS (powered by the LocalAuthentication framework). Once compiled, it will allow you to authenticate sudo commands with Touch ID in the Terminal on supported Macs (such as the late 2016 MacBook Pros). Since Darwin sources for macOS 10.12 are not available yet, this project is based on sudo sources corresponding to OS X 10.11.6 and obtained from opensource.apple.com.

=> Download and usage information.

Forcefully mark down pfSense wan gateway as down

Posted on in Categories Link last updated October 28, 2016

From the article:

I have two internet connections (fiber and 4G LTE) configured in load balanced mode using pfSense FreeBSD based firewall. One of my wan connection is running out of bandwidth quota. How can I force and turn off this interface to save bandwidth until month end and enable it again from next billing cycle?

Read more…

Dyn a cloud-based DNS service under DDoS attack and took down major sites such as Twitter/Reddit/Spotify/Paypal and others

Posted on in Categories Link last updated October 21, 2016

A massive DDoS (distributed denial-of-service) attack against a popular cloud-based DNS provider Dyn.COM took down major websites. The DYN.COM confirmed it on twitter:

Following sites are having issues due to DNS problems:

  1. Twitter
  2. SoundCloud
  3. Spotify
  4. Netflix
  5. Reddit
  6. Disqus
  7. PayPal
  8. Basecamp
  9. Business Insider
  10. CNN
  11. Esty
  12. Github
  13. Guardian.co.uk
  14. Imgur
  15. HBO Now
  16. Pinterest
  17. Recode
  18. The Verge
  19. Wired and more

You can verify NS with the following standard Unix command:
$ host -t ns twitter.com

twitter.com name server ns2.p34.dynect.net.
twitter.com name server ns1.p34.dynect.net.
twitter.com name server ns4.p34.dynect.net.
twitter.com name server ns3.p34.dynect.net.

From the official announcement:

This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue. Services have been restored to normal as of 13:20 UTC on 21/Oct/2016. But, I’m still seeing problems.

This DDoS attack may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring. Our Engineers are continuing to work on mitigating this issue. — Oct 21, 2016 – 16:48 UTC

See the “DDoS Attack Against Dyn Managed DNS” update page for up to date information.

(Image credit)