M2 PRESSWIRE-24 February 1999-ISS: ISS security advisory -- Buffer overflow in "Super" package in Debian Linux (C)1994-99 M2 COMMUNICATIONS LTD
RDATE:150299
Synopsis:
Internet Security Systems (ISS) X-Force has discovered a vulnerability in the system administration utility, "Super". Super is used by administrators to allow certain users to execute commands with root privileges. The vulnerability is distributed with Debian Linux. It may allow local attackers to compromise root access. Super is a GNU copylefted package that is distributed with recent Debian Linux distributions, but it can be installed and configured for many Unix variants.
Affected versions:
ISS X-Force has determined that version 3.9.6 through version 3.11.6 are vulnerable. All versions of Super distributed with Debian Linux are vulnerable. Execute the following command to determine version information: # /usr/bin/super -V
Fix Information:
Super 3.11.7 is available at: ftp.ucolick.org:/pub/users/will/super-3.11.7.tar.gz
The new version of Super will be available soon on the mirror: ftp.onshore.com:/pub/mirror/software/super
Please refer to these locations for fixes which are included in Super version 3.11.7.
Description:
Super is a utility that allows authorised users to execute commands with root privileges. It is intended to be an alternate to setuid scripts, which are inherently dangerous. A buffer overflow exists in Super that may allow attackers to take advantage of its setuid configuration to gain root access.
Recommended Action:
Version 3.11.7 should be installed immediately. Administrators should take care to disable setuid root utilities that are not used by regular users. To disable Super permanently, execute the following command as root to disable the setuid bit: # chmod 755 /usr/bin/super
Internet Security Systems is the pioneer and leading provider of adaptive network security, delivering enterprise-wide information protection solutions. ISS's award-winning SAFEsuite family of products manages security risks and enhances end user confidence in intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS's adaptive network security system creates a flexible cycle of continuous security improvement, including policy implementation and enforcement. This comprehensive approach to network security strengthens the security of existing systems and has dramatically improved the security posture for organisations worldwide, making ISS a critical, trusted security advisor for firms in the Global 2000, nine of the ten largest US commercial banks and over 35 governmental agencies. For more information about ISS in the UK, call +44 (0)1923 266023 or visit the ISS web site at http://www.iss.net.
Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to: X-Force
*M2 COMMUNICATIONS DISCLAIMS ALL LIABILITY FOR INFORMATION PROVIDED WITHIN M2 PRESSWIRE. DATA SUPPLIED BY NAMED PARTY/PARTIES.*
No comments:
Post a Comment