• LibClamAV Error : Clamd restart issue

    What is the issue ?

    Today my team reported that our mail relay server is not working and they are not able to sent e-mails via the test applications.
    Whenever I check the mail server I found more than 1000 mails are in queue and mail server is failing to sent/deliver mails to recipients.
    In a detailed check its found that clamd service is down and I was not able to restart clamd service. I was getting the following error

    LibClamAV Error: mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net

    After some googling its found that the issue is with the version of clamd we were using in our mail server. And the golden words I got from the clamv forum was as follows

    " ClamAV 0.97.x is no longer supported. The current release of ClamAV is 0.99.2 ".

    How to fix this issue ??

     1.  Download the latest version (0.99.2) of clamd, clamav and clamav-db rpm's and update your mail server. (https://dl.fedoraproject.org/pub/epel/5/x86_64/)
     2.  Restart freshclam and clamd services


  • ImageMagick critical remote execution vulnerability – CVE-2016-3714

    What is ImageTragic !! (CVE-2016-3714 )

    In a vulnerable environment , image magic commands will allow remote code execution during conversion of several file formats.

    Which are the platforms affected ?

    As per RedHat ,  RedHat 5 , 6 and 7 platforms are affected with this vulnerability.

    How to check whether your platform is affected or not ?

    Create a .mvg file with the following content and run the convert command as follows. If your platform is vulnerable then the convert command will be able to list the folder contents.

    # vi exploit.mvg
    push graphic-context
    viewbox 0 0 640 480
    fill 'url(https://example.com/image.jpg";|ls "-la)'
    pop graphic-context
    [[email protected] config]# convert exploit.mvg out1.png
    total 172
    drwxr-xr-x 2 root root  4096 May  5 04:52 .
    drwxr-xr-x 4 root root  4096 Jun  2  2014 ..
    -rw-r--r-- 1 root root  3447 Feb 10  2014 configure.xml
    -rw-r--r-- 1 root root 11041 Feb 10  2014 delegates.xml
    -rw-r--r-- 1 root root 46238 Jun 28  2009 english.xml
    -rw-r--r-- 1 root root 49251 Jun 28  2009 francais.xml
    -rw-r--r-- 1 root root  2403 Mar 24  2009 locale.xml
    -rw-r--r-- 1 root root   369 May  5 04:42 out1.png
    -rw-r--r-- 1 root root  1873 May  5 04:52 policy.xml
    -rw-r--r-- 1 root root  9727 Feb 10  2014 type-ghostscript.xml
    -rw-r--r-- 1 root root 13655 Feb 10  2014 type-windows.xml
    -rw-r--r-- 1 root root   671 Feb 10  2014 type.xml
    convert: unrecognized color `https://example.com/image.jpg"|ls "-la' @ color.c/GetColorInfo/965.
    convert: no decode delegate for this image format `/tmp/magick-XXoEao8j' @ constitute.c/ReadImage/537.
    convert: Non-conforming drawing primitive definition `fill' @ draw.c/DrawImage/3124.
    [[email protected] config]

    How to Fix this vulnerability ?

    1. Upgrade your imagemagic packages to 6.9.3-10 or 7.0.1-1 ( As per imagemagic blog this bug patched and released in these versions : refer
    2. Apply the manual patch via policy.xml file.  Add additional policies for Imagemagic policy.xml file to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, and MSL commands within image files.

    How to apply the manual patch via additional policies ?

    Find policy.xml file on your distribution and add the following lines in <policymap> section of your policy.xml file.

    # vi policy.xml
    <policy domain="coder" rights="none" pattern="EPHEMERAL" />
    <policy domain="coder" rights="none" pattern="HTTPS" />
    <policy domain="coder" rights="none" pattern="HTTP" />
    <policy domain="coder" rights="none" pattern="URL" />
    <policy domain="coder" rights="none" pattern="FTP" />
    <policy domain="coder" rights="none" pattern="MVG" />
    <policy domain="coder" rights="none" pattern="MSL" />

    How to verify the fix ?

    After updating the policy.xml file , re run the image magic convert command . If the bug fixed properly then convert command will fail to list the directories.

    [[email protected] config]#  convert exploit.mvg out2.png
    convert: not authorized `/tmp/exploit.mvg' @ constitute.c/ReadImage/425.
    convert: missing an image filename `out2.png' @ convert.c/ConvertImageCommand/2800.
    [[email protected] config]#

    References :-



  • What is LogJam Attack ?

    What is LogJam Attack ?

    Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

    Who is Affected ?
    Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

    How we will prevent this on Application side ?
    Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

    1) Apache
    Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
    SSLProtocol             all -SSLv2 -SSLv3
    SSLHonorCipherOrder     on
    2) Nginx
    ssl_prefer_server_ciphers on;
    3) Apache Tomcat  ( in server.xml)
    4) Postfix ( /etc/postfix/main.cf )
    smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )


    Reference : https://weakdh.org

  • glibc GHOST vulnerability ( CVE-2015-0235 )

    What is glibc ?
    Gnu library C or glibc is an implementation of standard c library and its a core member of linux OS .

    What is GHOST Vulnerability ?
    The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.And this bug is reported as CVE-2015-0235. Redhat and CentOS already ready with the fix and you can update your boxes to get the patched version.

    Why it is called as GHOST ?
    It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions. ( gethostbyname*() set of functions )

    Are you safe ?
    As per redhat and qualys , most of the systems are vulnerable except those running with glibc-2.17 and glibc-2.18

    How to confirm whether you are safe or not ?
    qualys.com provided a vulnerability scanning script to check this

    ~]# rpm -qa | grep glibc
    ~]# rpm -qa | grep release

    ~]# /usr/bin/gcc ghost.c -o ghost
    ~]# ./ghost

    After updating to patched version of glibc
    ~]# yum upgrade glibc
    ~]# rpm -qa | grep glibc
    ~]# ./ghost
    not vulnerable

    ~]# cat ghost.c
     #include <netdb.h>
     #include <stdio.h>
     #include <stdlib.h>
     #include <string.h>
     #include <errno.h>
     #define CANARY "in_the_coal_mine"
     struct {
     char buffer[1024];
     char canary[sizeof(CANARY)];
     } temp = { "buffer", CANARY };
     int main(void) {
     struct hostent resbuf;
     struct hostent *result;
     int herrno;
     int retval;
     /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
     size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
     char name[sizeof(temp.buffer)];
     memset(name, '0', len);
     name[len] = '\0';
     retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
     if (strcmp(temp.canary, CANARY) != 0) {
     if (retval == ERANGE) {
     puts("not vulnerable");
     puts("should not happen");

    References :-

  • POODLE: SSLv3.0 vulnerability

    What is POODLE ?

    POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

    How to Fix ?

    At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

    Disable SSLv3 – Apache

    1) Add ”   SSLProtocol All -SSLv2 -SSLv3  ”  to httpd.conf

    2) Restart apache service .

    Disable SSLv3 – Nginx

    1) Add   ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ”  to nginx.conf under ssl section .

    2) Restart nginx service .

    Disable SSLv3 – PostFix

    1) change smtpd_tls_mandatory_protocols to ”  smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

    2) Restart postfix server .

    Disable SSLv3 – Weblogic

    Start weblogic with the following JVM option   ” -Dweblogic.security.SSL.protocolVersion=TLS1  ”

    How to Diagnose ?

    # openssl s_client -connect localhost:443 -ssl3

    ==> If you have already disabled sslv3 , then the output will be as follows

    20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
    20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

    ==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE  !!.

    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
    verify return:1

    Certificate chain
     0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
       i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]

    Reference :-



  • CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

    After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes
    CVE-2014-6271 & CVE-2014-7169 )

    CentOS 5 Fix  :-

    * i386:
    ( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7  :  bash-3.2-33.el5_10.4.i386.rpm

    * x86_64:
    ( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c   :  bash-3.2-33.el5_10.4.x86_64.rpm

    CentOS 6 Fix: –

    * x86_64:


    * i386:


    Test Output : –

    [root@ ~]# rpm -qa | grep bash

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    [root@ ~]#

    * After updating to latest bash rpm.

    [root@ ~]# rpm -qa | grep bash
    [root@ ~]#

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    [root@ ~]#


    Reference :-


  • Again Bash !!! ( CVE-2014-7169 )


    Note : CentOS Fix for CVE-2014-7169 

    Redhat announced  that the fix for CVE-2014-6271 is incomplete and reporting new one CVE-2014-7169 .

    As per the latest update they are working to patch this against CVE-2014-7169.

    People are able to recreate the bug like the following

    /]$ rpm -qa | grep bash

    bash-4.1.2-15.el6_5.1.x86_64  ( patched version )

    ~]$ env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test

    /]$  env X='() { (a)= >\’ bash -c “echo date”; cat echo
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    cat: echo: No such file or directory

    /]$ env X='() { (a)=>\’ bash -c “echo echo vuln”; [[ “$(cat echo)” == “vuln” ]] && echo “still vulnerable :(“
    bash: X: line 1: syntax error near unexpected token `=’
    bash: X: line 1: `’
    bash: error importing function definition for `X’
    bash: echo: Permission denied
    cat: echo: No such file or directory

    Waiting for the patch from Redhat .

    Referrence : –



  • Serious Bug with BASH ( CVE-2014-6271 )


    Note : Redhat updated this patch is incomplete and they are working with a new one at the moment ( CVE-2014-7169 ) , Refer for the details for CVE-2014-7169

    Affected platforms :-

    Red Hat Enterprise Linux 4 (ELS)/ 5 / 6 /7
    CentOs 5/6/7

    How to test  if your version of Bash is vulnerable to this issue or not ?

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    this is a test

    Resolution :-

    This issue affects all software that uses the Bash shell and parses values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

    In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least  versions of Bash.

    # yum update bash

    Fix for CentOs platforms

    Centos 5

    bash-3.2-33.el5.1.i386.rpm / bash-3.2-33.el5.1.x86_64.rpm

    Centos 6
    bash-4.1.2-15.el6_5.1.i686.rpm / bash-4.1.2-15.el6_5.1.x86_64.rpm

    Note : Its always better to reboot your machine after upgrading to the latest bash package . If its a production critical machine and not able to do a quick reboot then please run ” /sbin/ldconfig “

    How to make sure your machine/server is secure after the package update ?

    Run the above command again

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test


    Reference :-





  • Serious bug with openssl : Heart Bleeding !!!

    Yesterday One of the Google Security Engineer ( Thanks for Neel Mehta of Google Security for discovering the bug)  reported a serious bug with current openssl . ( TLS heartbeat read overrun (CVE-2014-0160) )

    As per openssl , Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. And its advised to upgrade to OpenSSL 1.0.1g ( https://www.openssl.org/source/openssl-1.0.1g.tar.gz )  to fix this issue or recompile affected versions with the option -DOPENSSL_NO_HEARTBEATS.

    You may need to recompile other services which are associated with openssl like Apache , nginx , php etc . Also its better to renew your ssl cert’s to make sure everything is safe/fine.

    How to Check Whether your server/website is affected or not ?


    References :-





  • MySql Replication over SSL


    Scenario :  Setup mysql master slave replication over ssl

    Master  Server  :   

    Slave  Server    :

    Confirm your mysql server is compiled/enabled to support ssl connections using the following command

    # mysql -u root -p

    mysql >   show variables like ‘%ssl%’ ;

    If you are getting an output some thing like as follows then you can confirm mysql is compiled to support ssl connections

    mysql> show variables like ‘%ssl%’;

    | have_openssl  | DISABLED |

    | have_ssl            | DISABLED |

    The above shows that mysql is compiled with ssl support but it not enabled in the configuration .

    Create Certificates

    # cd /var/lib/mysql

    # mkdir ssl

    >>> Create CA Certificate

    # openssl genrsa 2048 > ca-key.pem
    # openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

    >>> Create Server Certificate

    # openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
    # openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

    >>> Create Client Sertificate .

    # openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
    # openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

    Copy the keys to Slave server

    # scp ca-cert.pem client-cert.pem client-key.pem   [email protected]:/var/lib/mysql/ssl

    Master Side configuration

    #  vi /etc/my.cnf

    #bind-address =
    server-id = 1
    log_bin = /var/lib/mysql/mysql-bin.log

    Note that server id should be unique here for master its 1.

    Restart mysql and confirm now ssl values are showing properly in ” mysql > show variables like ‘%ssl%’ ;  ”

    # mysql –u root –p

    GRANT all privileges ON *.* TO replication@'' IDENTIFIED BY 'password' REQUIRE SSL;

    Slave Side Configuration

    # vi /etc/my.cnf

    bind-address =

    check master status on the master node

    mysql > show master status ;

    | File | Position | Binlog_do_db | Binlog_ignore_db | +

    | mysql-bin.002 | 80600 | mydatabase | | +


    Update the log location and Position on Slave

    Msql > slave stop;

    Mysql > CHANGE MASTER TO MASTER_HOST='', MASTER_USER='replication', MASTER_PASSWORD='password', MASTER_LOG_FILE=' mysql-bin.002', MASTER_LOG_POS=80600, MASTER_SSL=1, MASTER_SSL_CA = '/var/opt/mysql/ssl/ca-cert.pem', MASTER_SSL_CERT = '/var/opt/mysql/ssl/client-cert.pem', MASTER_SSL_KEY = '/var/opt/mysql/ssl/client-key.pem';

    Mysql > slave start ;

    Mysql > show slave status \G ;

    *************************** 1. row ***************************
    Slave_IO_State: Waiting for master to send event
    Master_User: replication
    Master_Port: 3306
    Connect_Retry: 60
    Master_Log_File: mysql-bin.000003
    Read_Master_Log_Pos: 12345100
    Relay_Log_File: mysql-relay-bin.000002
    Relay_Log_Pos: 11381900
    Relay_Master_Log_File: mysql-bin.000003
    Slave_IO_Running: Yes
            Slave_SQL_Running: Yes
    Replicate_Do_DB: mydatabase

    The above lines which are marked in green shows that replication is working fine from master to slave.