SUSE Security Announcement: Live CD 9.1 (SuSE-SA:2004:0)
Posted on: 05/07/2004 05:14 AM
An updated SUSE Live CD 9.1 is available
SuSE Security Announcement
Package: Live CD 9.1
Date: Thursday, May 6th 2004 22:30 MEST
Affected products: SUSE LINUX 9.1 Personal Edition Live CD
Vulnerability Type: remote root access
Severity (1-10): 8
SuSE default package: yes
Other affected systems: none
Content of this advisory:
1) security vulnerability resolved: Live CD 9.1
problem description, discussion, solution and upgrade informatio
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
The freshly released SUSE LINUX 9.1 comes in two variants:
* SUSE LINUX 9.1 Professional (5 CD-ROMs, 2 double sided DVDs, printed manuals, for Intel i386 32Bit platform and 1 DVD for the AMD 64Bit platform)
* SUSE LINUX 9.1 Personal (2 CD-ROMs: 1 installable CD-ROM, 1 Live CD-ROM for running SUSE LINUX on your PC without actually installing the system.)
This SUSE Security Announcement targets the Live CD that comes with the SUSE LINUX 9.1 Personal edition. The Live CD can boot and run on any PC that has a CD-ROM drive, offering a convenient opportunity for users who want to try out SUSE Linux without any modification to the system that is installed on the computer. Similar CD-ROM iso images have been available for download from our ftp server with each release of the SUSE LINUX home user product for years. Upon boot, the Live CD will automatically configure a network card if one has been detected. It requires user interaction for dialup network access. A configuration error on the Live CD allows for a passwordless, remote root login to the system via ssh, if the computer has booted from the Live CD and if it is connected to a network. Since the CD-ROM is a read-only medium by definition, there is no solution for this error that would be persistent over a reboot from the Live CD. Manually killing all running instances of the secure shell daemon ("killall sshd" as root) after each boot cures the problem, while still exposing the vulnerability in the time window between startup and the killing of the sshd process. It is a policy for a fresh install of SUSE LINUX products to enable the user to log on to the system using secure shell (ssh). During the installation of the system, the user is prompted for a root password. The Live CD does not install any system on a medium and therefore does not ask for a root password. By consequence, passwordless logins should be denied on the system, regardless of whether the account in question is the super user account or not. The Live CD 9.1 suffers from this misconfiguration. Our permanent fix for the vulnerability is to download the iso image of the fixed Live CD 9.1 from the URL as listed below and to burn it on a CD-R using a CD-burner and the software that comes with the SUSE LINUX 9.1 Personal or Professional (cdrecord, k3b). The new image still runs a secure shell daemon for remote login, but it does not allow remote logins on a zero-length password account, and it denies remote root login attempts, independently from the password.
We thank Patrick Kranefeld and Fabian Franz who have reported the configuration neglectfulness on the SUSE LINUX 9.1 Live CD to SUSE Security.
Image authenticity verification:
The file LiveCD-9.1-01.iso has a length of 706349056 bytes. If you run the command "md5sum LiveCD-9.1-01.iso" after you have downloaded the file, the md5sum command should print the following md5sum:
This md5 sum is also contained in the file MD5SUMS in the same directory as the LiveCD-9.1-01.iso file. Its signature (by email@example.com) is contained in the file MD5SUMS.sig. The download location: ftp://ftp.suse.com/pub/suse/i386/live-cd-9.1/LiveCD-9.1-01.iso
A note: Please use a mirror for downloading the SUSE LINUX 9.1 Live CD. Mirrors close to you can be found at http://www.suse.com/us/private/download/ftp/int_mirrors.html
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
New canna packages are available on our ftp servers, fixing tmp race
A buffer overflow in the SOCKS5 code of the XChat program has been
fixed. New packages are available on our ftp servers.
The tcpdump program contained a remote DoS condition in its ISAKMP
packet handling (CAN-2004-0183 and CAN-2004-0184).
Fixed packages are available on our ftp servers.
A buffer overflow in the header parsing routines of lha has been fixed.
Additionally lha did not properly handle pathnames within archives
(CAN-2004-0234 and CAN-2004-0235).
Fixed packages are available on our ftp servers.
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and importan
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in th
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key firstname.lastname@example.org),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticit
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
a) gpg is installed
b) The package is signed using a certain key. The public part of th
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "email@example.com" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
For general information or the frequently asked questions (faq)
send mail to:
SuSE's security contact is firstname.lastname@example.org or email@example.com. The firstname.lastname@example.org public key is listed below.
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.