Linked by David Adams on Thu 28th Oct 2004 16:10 UTC, submitted by Anonymous
Bugs & Viruses Linux distributor Suse has warned of one of the most serious security holes to date (a remote root vulnerability) in Version 2.6 of the Linux kernel, which could allow attackers to shut down a system running 2.6-based software. Suse's advisory [...] ranked the bug 9 out of 10 in severity.
Order by: Score:
Only affects versions < 2.6.8 w/ iptables
by Anonymous on Thu 28th Oct 2004 16:15 UTC

Before everyone worries:

"The problem lies in the way the kernel handles iptables firewall logging, and only affects systems with iptables-based firewalls, such as SUSEfirewall2, Suse said."

"The bug affects Suse Linux 9.1 and Suse Linux Enterprise Server (SLES) 9; Suse Linux 9.2 isn't affected because the version of the kernel it uses, 2.6.8, already contains a fix."

v God
by Eric on Thu 28th Oct 2004 16:19 UTC
vector
by jophn deo on Thu 28th Oct 2004 16:22 UTC

only affects systems with iptables-based firewalls, such as SUSEfirewall2, Suse said."

Which is pretty much every Linux distribution.
Is it possible to download the source of SuSE 2.6.8 kernel?
:-)

v Re: God
by my_name on Thu 28th Oct 2004 16:25 UTC
The Suse warns is 7 days old
by JoseCC on Thu 28th Oct 2004 16:28 UTC

This is not a new, because is 7 days old.

look:

http://www.suse.com/de/security/2004_37_kernel.html

Package: kernel
Announcement-ID: SUSE-SA:2004:037
Date: Wednesday, Oct 20th 2004 18:00 MEST
Affected products: 9.1
SUSE Linux Enterprise Server 9
Vulnerability Type: remote denial of service
Severity (1-10): 9
SUSE default package: yes
Cross References: CAN-2004-0816
CAN-2004-0887

Content of this advisory:
1) security vulnerability resolved:
- remote system crash with enabled firewall
- local root exploit on the S/390 platform
- minor /proc information leaks
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- libtiff
- cyrus-sasl
- php4
- zinf

What difference does it make....
by Anonymous on Thu 28th Oct 2004 16:30 UTC

if you've been running 2.6.8 for months now?

Damn SuSE
by Mike on Thu 28th Oct 2004 16:34 UTC

If they want to stick with old builds, thats what they're gonna get.

v Re: God
by goyo on Thu 28th Oct 2004 16:35 UTC
v RE: God
by Lumbergh on Thu 28th Oct 2004 16:39 UTC
v RE: God
by Devilotx on Thu 28th Oct 2004 16:41 UTC
good service
by jophn deo on Thu 28th Oct 2004 16:41 UTC

What difference does it make....if you have been
running 2.6.8 => for weeks


Nothing, but there are a lot (SuSE 9.1) users with kernel < 2.6.8 .

v RE: God
by .Nyet on Thu 28th Oct 2004 16:49 UTC
solution
by TomHu on Thu 28th Oct 2004 16:57 UTC

Then if those users have internet connection, they should make use of "YOU".

I don't like the SuSE Linux Distro that much, but YOU improved over time, and i would call it a bit better than WindowUpdate.

But far from what's possible || others already realised.

Why such a fuzz about that Problem?

Re: TomHu
by anonymous on Thu 28th Oct 2004 17:02 UTC

Just curious, what do you not like about SuSE 9.1?
I have a few issues with it as well. I have found that a few things with networking and pcmcia cards do not work as they should, and I'm surprised that the problems passed through QA.

9.2 Pro
by Flatline on Thu 28th Oct 2004 17:24 UTC

9.2 Pro seems to fix some things and break some others...I've noticed (on separate machines) that after a while, the volume levels for sound are set to mute by default and it takes some fiddling to get sound back at boot.

v RE: God
by Zambizzi on Thu 28th Oct 2004 17:25 UTC
Very Old
by David on Thu 28th Oct 2004 17:31 UTC

This problem has been known for months. It relies on a carefully crafted packet, or set of packets, being sent to totally crash a Linux system using IPTables.

Some real work would be required to make it into a way of getting into your system, but it could be used to take a fair few systems offline.

old news
by Alexander on Thu 28th Oct 2004 17:42 UTC

grr bad osnews for reposting old news, I got worried for a sec there

Wake up and Smell the PR
by Tim Hardy on Thu 28th Oct 2004 17:46 UTC

I've been using Suse distros at home for a couple of years now and am fairly happy with their products but I can't help but detect a note of cynical opportunism about this - funny how they suggest an upgrade to the release that's just about to go on sale is the best fix for the problem...

v Ha Ha Ha
by Curious on Thu 28th Oct 2004 17:56 UTC
v Re: Ha Ha Ha
by Micheala De Izeicazia on Thu 28th Oct 2004 18:04 UTC
Re: Ha Ha Ha
by . on Thu 28th Oct 2004 18:06 UTC

Even though Linux is good but these Linux fanboys are making people like me who love both windows and linux so alienated from Linux that i love to see them getting kicked.

Ditto. Especially a system like Linux that has a fast growth rate unlike OpenBSD. It's clear that security breaches will appear. Thank God the code is open-source so that developpers around the world can point out these flaws and make it more secure. Linux shouldn't be a religion. Sorry. I also use both Windows and FreeBSD, and I'm not ashamed. I'm just working.

RE: Wake up and Smell the PR
by Zambizzi on Thu 28th Oct 2004 18:07 UTC

Very astute point, I was thinking the same thing.

An organization could save a lot of money finding (or hiring) in-house talent to simply upgrade their kernel(s), it's quite simple.

RE: Ha Ha Ha
by Jayclark on Thu 28th Oct 2004 18:08 UTC

"cursing windows for no reason."

O beleive me theres a lot of reason ot curse Windows. From its crappy file system to its security. Look at the list of critical problems for Windows. Just cleaned up a friends Windows for getting a trogan while play America's Army. I had to call the trogan man and it still did no good. But I curse Linux everyday too so maybe I just need anger managment.

v Ha Ha Ha
by Tyrone Miles on Thu 28th Oct 2004 18:18 UTC
Re: Ha Ha Ha
by David on Thu 28th Oct 2004 18:25 UTC

Where are all the linux fanboys who just like to abuse windows. hahahaha....not that i hate Linux but i hate linux fanboys attitude who just like to feel superior and say bad about other OS. I am happy that finally the got a kick on their A.

Try looking at the nature of the faults, how serious they are and under what circumstances they can be exploited. Microsoft should be so lucky to have an exploit like this were no one can take over the system and all it does is take the box down through something that has to be crafted.

April 2004 - 2.6.8 - Fedora Core 2
by Anonymous on Thu 28th Oct 2004 18:27 UTC

So, from the other comments, 2.6.8 and later is not impacted?

RE: Re: Ha Ha Ha
by Anonymous on Thu 28th Oct 2004 18:29 UTC

Try looking at the nature of the faults, how serious they are and under what circumstances they can be exploited.

Did you miss the severity rating of 9/10? I put it right there for people like you who would try and downplay it.

Re: Ha ha ha
by Anonymous on Thu 28th Oct 2004 18:47 UTC

"Where are all the linux fanboys who just like to abuse windows."

Nowhere. But as you can read, obviously the Windows fanboys are everywhere.

Let's face it: When a Windows security exploit is announced, Microsoft zealot defend it with their live, saying things like "it's the user's fault", and often it takes several weeks before there's a fix.
When a Linux security exploit is announced, developers quickly fix it. The problem is thoroughly analyzed, published and discussed. And while the Microsoft zealot troll at how Linux sucks and is insecure, the rest of the world is busy fixing the problem and couldn't care less about the Microsoft zealots, and getting on with their lives.

RE: Re: Ha Ha Ha By Anonymous
by Tyrone Miles on Thu 28th Oct 2004 18:47 UTC

Did you miss the severity rating of 9/10? I put it right there for people like you who would try and downplay it.

It's not to be downplayed. But at the same time has anyone had their machines taken down by a hack related to it?

On top of that it's a DOS attack not a take over, not a root kit (Which the MAC OS warning that came out the other day was. Isn't the MAC OS based on Free BSD?) not a worm and not a virus!

That means someone has to find that you have that particular version of Suse with that particular Kernel: Read the security report:

1) problem description, brief discussion

An integer underflow problem in the iptables firewall logging rules can allow a remote attacker to crash the machine by using a handcrafted IP packet. This attack is only possible with firewalling enabled.

We would like to thank Richard Hart for reporting the problem.

This problem has already been fixed in the 2.6.8 upstream Linux kernel, this update contains a backport of the fix.

Products running a 2.4 kernel are not affected.

Mitre has assigned the CVE ID CAN-2004-0816 for this problem.


Additionaly Martin Schwidefsky of IBM found an incorrectly handledprivileged instruction which can lead to a local user gaining root user privileges.

This only affects the SUSE Linux Enterprise Server 9 on the S/390 platform and has been assigned CVE ID CAN-2004-0887.

Look how easy it is to fix without even putting in the patch right away:


2) If you are not using an iptables based firewall (like SUSEfirewall2)on your system, you are not affected.

If you are using a firewall, a workaround is to disable firewall logging of IP and TCP options.

We recommend to update the kernel.

Good lord calm down. LOL!

v I prefere OpenVMS
by Frenchy on Thu 28th Oct 2004 18:50 UTC
v Re: Ha Ha Ha
by Anonymous on Thu 28th Oct 2004 18:56 UTC
Re: RE: Ha Ha Ha
by Aris-T on Thu 28th Oct 2004 18:59 UTC

" "cursing windows for no reason."

O beleive me theres a lot of reason ot curse Windows. From its crappy file system to its security. Look at the list of critical problems for Windows. Just cleaned up a friends Windows for getting a trogan while play America's Army. I had to call the trogan man and it still did no good. But I curse Linux everyday too so maybe I just need anger managment."

Funny, most of the problems I encounter with Windows systems 98% of the time were due to PEBKAC. I just cleaned off two Windows XP machines: one had NO anti virus and no firewall for their broadband connection while the other had spyware up the wazoo because of their kids' exploits (most of the spy junk was under the kids' logins). No matter what OS developers do they cannot patch the human element.

Properly maintained (not as hard as it sounds) and a little knowledge about do's and don'ts online can go a long way to a virus/spyware free Windows PC.

it's not a remote root
by newbert on Thu 28th Oct 2004 19:05 UTC

according to the article, there is no remote root. it's a remote DoS (denial of service). BIG difference. the other flaw mentioned in the article appears to be a local root for S/390 SuSE linux.

toast this
by newbert on Thu 28th Oct 2004 19:08 UTC

stabbed my toaster to death

everyone knows toasters run NetBSD and are NOT affected. you just wasted a perfectly good toaster.

RE: toast this
by Flatline on Thu 28th Oct 2004 19:11 UTC

"everyone knows toasters run NetBSD and are NOT affected. you just wasted a perfectly good toaster."

Aaaah, but only linux will run on a dead badger:

http://www.strangehorizons.com/2004/20040405/badger.shtml

v RE: God
by Admiral Horror on Thu 28th Oct 2004 19:15 UTC
It's the Linux KERNEL!
by Anonymous on Thu 28th Oct 2004 19:16 UTC

SUSE isn't the issue here folks...it's any distribution running Linux kernel 2.6. So switching distros isn't going to help you if the kernel is the same. SUSE was only reporting the security issue. Don't shoot the messenger.

Macintouch reports that the first instance of destructive malware for the Mac has been identified. It doesn't appear to spread on its own, however.

It appears as an item called "Opener" in /Library/StartupItems containing a bash script. When a system starts up, this item will run and does the following:

* tries to install ohphoneX, a teleconferencing program

* kills LittleSnitch before every Internet connection it makes
* installs a keystroke recorder
* creates a hidden account
* grabs the open-firmware password
* Installs OSXvnc
* Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users.
* tries to decrypts all the MD5 encrypted user passwords
* decrypts all users keychains.
* grabs your AIM logs, and other settings and preferences with info you probably don't want others to have
* grabs stuff from your Classic preferences
* ghanges your Limewire settings to max out your upload and files.
* installs dsniff to sniff for passwords
* has your daily cron task try to get your password from the virtual memory swapfile
* installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords
* turns on file sharing and places the information it gathers in a hidden directory called .info inside your public folder.

The hidden user account is called LDAP-daemon.

One way to see if you're infected is by entering the following command in the terminal:

sudo ls -l /Users/*/Public/.info

If you're NOT infected, it will show:

ls: /Users/*/Public/.info: No such file or directory

http://64.233.161.104/search?q=cache:DnMyvqEglRkJ:www.macmegasite.c...

v hmm, somebody is awake after all
by jophn deo on Thu 28th Oct 2004 19:25 UTC
Re: God
by afraid on Thu 28th Oct 2004 19:33 UTC

I just switched back to a mule-powered abacus.

Re: RE: Re: Ha Ha Ha
by David on Thu 28th Oct 2004 20:00 UTC

Did you miss the severity rating of 9/10? I put it right there for people like you who would try and downplay it.

It's got a high severity rating because it can take down whole systems, and many people will be using IPTables so that's why a patch is required. However, we should not pretend that this is some free RPC/DCOM back entrance into your systems that allows others total control. It isn't.

As IT professionals, we're supposed to make those judgements and use our intelligence.

v cattle
by aranea on Thu 28th Oct 2004 20:12 UTC
v Goodness
by Paul-Michael Bauer on Thu 28th Oct 2004 20:17 UTC
RE: Goodness
by Sid on Thu 28th Oct 2004 21:08 UTC

Yeah you see it every day! someone on here needs to get a life and stop taking things so seriously!

@tyrone:
by AdamW on Thu 28th Oct 2004 21:12 UTC

actually, they just have to find anyone running a pre-2.6.8 kernel in the 2.6 series. but as others have pointed out, this is a DoS not an access vulnerability, which makes such a high rating a little odd. What would they rate an easily exploitable remote root vuln? 11, in homage to Spinal Tap? ;) Note that Secunia gave it a moderate rating.

Pay closer attention.
by Dark_Knight on Thu 28th Oct 2004 22:19 UTC

I wish people would take time to not only review articles before posting on OSNews but also actually take time to read security notices from developers. The SuSE Linux Security Response Team released the notice on Oct. 20, 2004 then released a bug fix through YOU (YaST Online Update) later that same day. You do not have to update to 2.6.8 or the latest kernel 2.6.9 since Novell as typical back ports security features in their customers kernel. So I now have the fix for kernel 2.6.5-7.111 that was auto-installed thanks to SuSE Watcher which also gives security notices when updates are available. How fast does Microsoft, Apple or even other Linux developers respond with such an issue..6 hours, 24 hours, weeks or even months? Come on people get a grip and relax.

Re: Re: RE: Re: Ha Ha Ha
by Russian Guy on Thu 28th Oct 2004 23:00 UTC

>However, we should not pretend that this is some free RPC/DCOM back entrance into your systems that allows others total control.

We should not pretend that RPC/DCOM is back entrance. It was a bug, like bug in SSH that allowed back entrance into your systems that allows others total control. Like bug in Sendmail that that allowed back entrance into your systems. Like bug in Apache that allowed back entrance into your systems.

We should also not pretend that we don't know the patch for RPC/DCOM was available days, weeks before the exploit.

>As IT professionals, we're supposed to make those judgements and use our intelligence.

True, and also not spread the FUD about OS we don't like and sugarpill issues with OS we do.

Linux kernel remote DoS is non-issue, if you listen to some.

For extra fun: initial version of SuSe advisory suggested to apply patch OR disable firewall. True fact. I am glad they took that pathetic suggestion off.

Auto-Update is evil
by Russian Guy on Thu 28th Oct 2004 23:02 UTC

>I now have the fix for kernel 2.6.5-7.111 that was auto-installed thanks to SuSE Watcher which also gives security notices when updates are available.

But, but, but.. auto-update is evil! At least, it were evil until Linux distros innovated it. Finally, it is good.

Sure, it is good- glad we can all come to senses and stop putting users in a harms way by telling them disable automatic updates of their beloved [enter name here] OS.

@russian guy:
by AdamW on Thu 28th Oct 2004 23:14 UTC

erm, whoever said autoupdate was evil? It's fairly evil for enterprise situations where patches can have unintended effects, but then, any half-competent sysadmin can turn it off. Now, pushing non-security-related (i.e., new versions and 'features') and EULA changes over auto-update, that would be a different matter, and that's what some people worried about when Microsoft started using auto-update. Not sure if it's actually happened, though.

Re: Auto-Update is evil
by Andre Lourenco on Fri 29th Oct 2004 09:16 UTC

Some people like auto-updates, some people do not.

It doesn't matter the OS you use - if you like it, turn it on.. if you don't turn it off..

rewriting history
by newbert on Fri 29th Oct 2004 16:31 UTC

We should also not pretend that we don't know the patch for RPC/DCOM was available days, weeks before the exploit.

this is not exactly true. i was reading Bugtraq when LSD released the exploit. they basically told MS, gave them 0 to few days, then released a preliminary post that gave few details. others figured out the rest of the exploit and released PoC code, a few days later the worm was released.

The patch was available before the worm, and probably before the PoC code. but LSD (last stage of delirium) had it first.

Re: RE: Re: Ha ha ha
by mikeyd on Fri 29th Oct 2004 18:06 UTC

one had NO anti virus and no firewall for their broadband connection

You cannot call this user error. An OS should be secure by default. It should not rely on the user downloading or buying external programs.

Re: Auto-Update is evil
by Dinora on Fri 29th Oct 2004 18:39 UTC

Evil, no. A PITA, yes. Imagine you have machine set for auto update, you're on dial up, and here comes a 75mb SP2 coming down the wire. Now that's a lot of fun. Forget using the internet for the rest of the day.

Re: RE: Re: Ha ha ha
by Dinora on Fri 29th Oct 2004 18:44 UTC

Funny you should make an issue of this, when only a short time after SP2 was released, we got this:
http://www.osnews.com/story.php?news_id=8537
"Microsoft warns of a score of security flaws"

A score, mind you. We're talking about ONE exploit here.

"Microsoft on Tuesday published 10 software security advisories, warning Windows users and corporate administrators of 22 new flaws that affect the company's products."

22. Count'em.

RE: Re: RE: Ha Ha Ha
by Jean-Marc on Fri 29th Oct 2004 20:51 UTC

Funny, most of the problems I encounter with Windows systems 98% of the time were due to PEBKAC. I just cleaned off two Windows XP machines: one had NO anti virus and no firewall for their broadband connection while the other had spyware up the wazoo because of their kids' exploits (most of the spy junk was under the kids' logins). No matter what OS developers do they cannot patch the human element.

That is why they have to make the system more secure in the first place. Even on my own system, on the Windows side (the system I use like 5 % of the time ;) ) with a firewall, and antivirus and two spyware removal tools I get infected sometimes. They cannot expect the kids, especially if they are youngers, to know everything about computer/Internet security. I am surprised that all these softwares can be installed on my computer without me authorizing any of them.

Properly maintained (not as hard as it sounds) and a little knowledge about do's and don'ts online can go a long way to a virus/spyware free Windows PC.

Your grandmother will probably never be a security expert. Does that mean that she could not use the Internet herself ? Linux is far from perfection cause it is maybe a bit more difficult to install/configure. But once installed, you do not have to worry about spywares, you use Firefox to block most popups(with the Adblock extension, you can easily block ads too) and can laugh in the face of all the Windows viruses. ;)

Re: mikeyd (IP: ---.plus.com)
by drsmithy on Sat 30th Oct 2004 03:41 UTC

You cannot call this user error. An OS should be secure by default. It should not rely on the user downloading or buying external programs.

1. XP has a prefectly good builtin firewall.
2. Operating systems cannot stop users deliberately installing and running software (which is, from the OS's perspective, all a virus is).

Which aspect of "security", exactly, do you feel will stop an end user installing a program that has malcious code in it ?

Re: Jean-Marc (IP: ---.agere.com)
by drsmithy on Sat 30th Oct 2004 07:39 UTC

That is why they have to make the system more secure in the first place. Even on my own system, on the Windows side (the system I use like 5 % of the time ;) ) with a firewall, and antivirus and two spyware removal tools I get infected sometimes.

You don't "get infected", you (clearly) practice risky behaviour and pay the price. For anything to be installed, you must be running as an Administrator. Presumably you're also using some version of IE that isn't up-to-date with patches, or some mail client that isn't patched (or has known vulnerabilities).

These things don't just appear out of the ether - something you are doing is allowing them to be installed. Tr running as a regular user and using Firefox instead of IE.

Hell, if you *must* run IE to browse dodgy web sites (which would be my first guess as to where the spyware, etc is getting in) then create a new "Limited User" account to specifically run only the IE executable under use it via the "Run As" facility from your regular account. This is trivial to do with Windows 2003, XP or 2000.