SUSE 5008 Published by

An updated SUSE Live CD 9.1 is available

______________________________________________________________________________

SuSE Security Announcement

Package: Live CD 9.1
Announcement-ID: SuSE-SA:2004:011
Date: Thursday, May 6th 2004 22:30 MEST
Affected products: SUSE LINUX 9.1 Personal Edition Live CD
Vulnerability Type: remote root access
Severity (1-10): 8
SuSE default package: yes
Other affected systems: none

Content of this advisory:
1) security vulnerability resolved: Live CD 9.1
problem description, discussion, solution and upgrade informatio
n
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

The freshly released SUSE LINUX 9.1 comes in two variants:

* SUSE LINUX 9.1 Professional (5 CD-ROMs, 2 double sided DVDs, printed manuals, for Intel i386 32Bit platform and 1 DVD for the AMD 64Bit platform)
* SUSE LINUX 9.1 Personal (2 CD-ROMs: 1 installable CD-ROM, 1 Live CD-ROM for running SUSE LINUX on your PC without actually installing the system.)



This SUSE Security Announcement targets the Live CD that comes with the SUSE LINUX 9.1 Personal edition. The Live CD can boot and run on any PC that has a CD-ROM drive, offering a convenient opportunity for users who want to try out SUSE Linux without any modification to the system that is installed on the computer. Similar CD-ROM iso images have been available for download from our ftp server with each release of the SUSE LINUX home user product for years. Upon boot, the Live CD will automatically configure a network card if one has been detected. It requires user interaction for dialup network access. A configuration error on the Live CD allows for a passwordless, remote root login to the system via ssh, if the computer has booted from the Live CD and if it is connected to a network. Since the CD-ROM is a read-only medium by definition, there is no solution for this error that would be persistent over a reboot from the Live CD. Manually killing all running instances of the secure shell daemon ("killall sshd" as root) after each boot cures the problem, while still exposing the vulnerability in the time window between startup and the killing of the sshd process. It is a policy for a fresh install of SUSE LINUX products to enable the user to log on to the system using secure shell (ssh). During the installation of the system, the user is prompted for a root password. The Live CD does not install any system on a medium and therefore does not ask for a root password. By consequence, passwordless logins should be denied on the system, regardless of whether the account in question is the super user account or not. The Live CD 9.1 suffers from this misconfiguration. Our permanent fix for the vulnerability is to download the iso image of the fixed Live CD 9.1 from the URL as listed below and to burn it on a CD-R using a CD-burner and the software that comes with the SUSE LINUX 9.1 Personal or Professional (cdrecord, k3b). The new image still runs a secure shell daemon for remote login, but it does not allow remote logins on a zero-length password account, and it denies remote root login attempts, independently from the password.

We thank Patrick Kranefeld and Fabian Franz who have reported the configuration neglectfulness on the SUSE LINUX 9.1 Live CD to SUSE Security.

Image authenticity verification:
The file LiveCD-9.1-01.iso has a length of 706349056 bytes. If you run the command "md5sum LiveCD-9.1-01.iso" after you have downloaded the file, the md5sum command should print the following md5sum:

9f4ed1bc6b3ee582bf593fde75d5db43

This md5 sum is also contained in the file MD5SUMS in the same directory as the LiveCD-9.1-01.iso file. Its signature (by security@suse.de) is contained in the file MD5SUMS.sig. The download location:
ftp://ftp.suse.com/pub/suse/i386/live-cd-9.1/LiveCD-9.1-01.iso

A note: Please use a mirror for downloading the SUSE LINUX 9.1 Live CD. Mirrors close to you can be found at http://www.suse.com/us/private/download/ftp/int_mirrors.html


___________________________________________________________________________
___

2) Pending vulnerabilities in SuSE Distributions and Workarounds:

- canna
New canna packages are available on our ftp servers, fixing tmp race
conditions.


- xchat
A buffer overflow in the SOCKS5 code of the XChat program has been
fixed. New packages are available on our ftp servers.

- tcpdump
The tcpdump program contained a remote DoS condition in its ISAKMP
packet handling (CAN-2004-0183 and CAN-2004-0184).
Fixed packages are available on our ftp servers.

- lha
A buffer overflow in the header parsing routines of lha has been fixed.
Additionally lha did not properly handle pathnames within archives
(CAN-2004-0234 and CAN-2004-0235).
Fixed packages are available on our ftp servers.

___________________________________________________________________________
___

3) standard appendix: authenticity verification, additional information

- Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over


the world. While this service is being considered valuable and importan
t
to the free and open source software community, many users wish to be


sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used

independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.

1) execute the command

md5sum
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in th
e
announcement. Since the announcement containing the checksums is

cryptographically signed (usually using the key security@suse.de),


the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the

email message containing the announcement to be modified so that
the signature does not match after transport through the mailing

list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all


md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticit
y
of an rpm package. Use the command
rpm -v --checksig
to verify the signature of the package, where is the
filename of the rpm package that you have downloaded. Of course,

package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of th
is
key must be installed by the gpg program in the directory

~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg
)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


- SuSE runs two security mailing lists to which any interested party may
subscribe:

suse-security@suse.com
- general/linux/SuSE security discussion.

All SuSE security announcements are sent to this list.
To subscribe, send an email to

.

suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
suse-security-announce-subscribe@suse.com.

For general information or the frequently asked questions (faq)

send mail to:
suse-security-info@suse.com or
suse-security-faq@suse.com respectively.

=====================================================================
SuSE's security contact is security@suse.com or security@suse.de. The security@suse.de public key is listed below.
=====================================================================
___________________________________________________________________________
___

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the

authenticity of the text.
SuSE GmbH makes no warranties of any kind whatsoever with respect

to the information contained in this security advisory.