Security
Fingerprint recognition using fprint
Fingerprint scanners are becoming more commonplace, especially on laptops, to add a layer of biometric authentication. Linux support for these devices has been somewhat varied, with each scanner model supported by its own driver and API, or not supported at all. In addition, a number of the drivers are closed source; something that should worry anyone installing security software. The fprint project aims to change that by providing a standardized API for as many different scanners as it can.
Born out of a Computer Science academic project for founder Daniel Drake, fprint was released this month under the LGPL. Unlike other scanner projects, fprint is not targeted at a specific device, it supports quite a few using a half-dozen or so different drivers. The drivers, as the name would imply, handle the low-level details of talking to the devices using libusb.
Fingerprint scanners all work differently; some process the image of the print internally, while others present the image to the driver. In order to have a standard API, regardless of the scanner used, the libfprint library handles those differences internally. If required, it uses image processing code from the US National Institute of Standards and Technology that is specifically designed for fingerprint matching.
In order to use fingerprints for authentication, there must be a training or enrollment mode where the scanned fingerprint is stored away for later use. Once that has been done, fingerprints can be verified for a particular user. fprint does not yet support identification mode, where an unknown finger is scanned and a database of stored prints is checked for a match. The current code requires a username or other identifier, comparing the print stored for that user with the one scanned.
Because it handles multiple devices, there could be occasions where there is a print stored for a particular user, but it was scanned with a different device. Some fprint drivers can handle multiple similar scanners, so it distinguishes between them using a device type assigned by the driver. It tags each stored print with the driver ID as well as the device type. To be comparable, the prints must have come from the same driver with the same device type.
Application writers do not want to have to interface to multiple different library APIs to support fingerprint authentication. The libfprint API provides a single interface for applications. All phases of dealing with the scanners are available through the API: device discovery, print enrollment, print discovery, and verification. In addition, pam_fprint has integrated with Pluggable Authentication Modules (PAM) to handle logging in via fingerprint instead of password.
There are other projects out there solving similar problems, but none seems to have taken the big picture view that fprint has. The Debian FingerForce team has gathered a list of Linux fingerprint scanning solutions, most of which are specific to a particular scanner or family of scanners. BioAPI also tries to abstract away the specifics of biometric authentication, but it is not a free standard.
By trying to support as many scanners as they can, while providing a generic interface, fprint seems to have the right approach to fingerprint authentication. There is still plenty to be worked on, fingerprint data is currently stored unencrypted for example, but the approach seems sound. For anyone with a scanner on their laptop, or a USB version that they carry around, applications supporting fprint will be very welcome. Anyone creating software that is interested in supporting fingerprint authentication, will definitely want to give fprint a look.
Brief items
Wordpress Cookie Authentication Vulnerability
A Wordpress cookie vulnerability exploit is floating around in the wild according to the advisory (Full Story link below). Anyone who has (or can get) access to the wp_users table can authenticate as any user, including the administrative user. Passwords are stored in the table as MD5 hashes, but the cookies contain the MD5 of that value (i.e. a double MD5 of the password). Attackers just need to provide the MD5 of the value they find in the database in a cookie to be authenticated as that user. There is no patch and there are no very satisfactory workarounds other than changing every user password and ensuring that no one can access the database after that.Schneier: The Strange Story of Dual_EC_DRBG
Bruce Schneier has posted an interesting look at a U.S. random number generator standard. "What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."
Google as a password cracker (Light Blue Touchpaper)
Light Blue Touchpaper covers a somewhat surprising use of Google to crack Wordpress passwords. Other passwords stored as hashed values without salt would also be vulnerable to this kind of search. "Instead, I asked Google. I found, for example, a genealogy page listing people with the surname 'Anthony', and an advert for a house, signing off 'Please Call for showing. Thank you, Anthony'. And indeed, the MD5 hash of 'Anthony' was the database entry for the attacker. I had discovered his password."
New vulnerabilities
apache2: denial of service
| Package(s): | apache2 | CVE #(s): | CVE-2007-1863 | ||||||||
| Created: | November 19, 2007 | Updated: | February 18, 2008 | ||||||||
| Description: | From the CVE entry: cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. | ||||||||||
| Alerts: |
| ||||||||||
bochs: denial of service
| Package(s): | bochs | CVE #(s): | CVE-2007-2894 | ||||
| Created: | November 19, 2007 | Updated: | November 21, 2007 | ||||
| Description: | From the CVE entry: The emulated floppy disk controller in Bochs 2.3 allows local users of the guest operating system to cause a denial of service (virtual machine crash) via unspecified vectors, resulting in a divide-by-zero error. | ||||||
| Alerts: |
| ||||||
mailman: error log spoof
| Package(s): | mailman | CVE #(s): | CVE-2006-4624 | ||||
| Created: | November 15, 2007 | Updated: | November 21, 2007 | ||||
| Description: | The Mailman mailing list manager is vulnerable to log file spoofing. A remote attacker can insert carriage return/line feed sequences, causing invalid error log messages to be recorded. This makes it possible to trick the administrator into visiting malicious URLs. | ||||||
| Alerts: |
| ||||||
MySQL: denial of service
| Package(s): | mysql | CVE #(s): | CVE-2007-5925 | ||||||||||||||||||||||||||||||||||||||||
| Created: | November 19, 2007 | Updated: | February 8, 2008 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
net-snmp: denial of service
| Package(s): | net-snmp | CVE #(s): | CVE-2007-5846 | ||||||||||||||||||||||||||||
| Created: | November 16, 2007 | Updated: | February 7, 2008 | ||||||||||||||||||||||||||||
| Description: | A flaw was discovered in the way net-snmp handled certain requests. A remote attacker who can connect to the snmpd UDP port (161 by default) could send a malicious packet causing snmpd to crash, resulting in a denial of service. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
openssh: log file corruption
| Package(s): | openssh | CVE #(s): | CVE-2007-3102 | ||||||||
| Created: | November 15, 2007 | Updated: | November 21, 2007 | ||||||||
| Description: | The ssh server can incorrectly write account names to the audit subsystem. A remote attacker can inject strings with parts of audit messages in order to corrupt logs. This can mislead administrators and confuse log parsing tools. | ||||||||||
| Alerts: |
| ||||||||||
pcre: CVE consolidation
| Package(s): | pcre | CVE #(s): | CVE-2005-4872 CVE-2006-7227 CVE-2006-7224 | ||||||||||||||||||||||||||||
| Created: | November 15, 2007 | Updated: | May 13, 2008 | ||||||||||||||||||||||||||||
| Description: | PCRE has flaws in the way it handles malformed regular expressions. If an application linked against PCRE, such as Konqueror, encounters a maliciously created regular expression, it may be possible to run arbitrary code. Vulnerabilities CVE-2005-4872 and CVE-2006-7227 have been combined into CVE-2006-7224. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
php5: multiple vulnerabilities
| Package(s): | php5 | CVE #(s): | CVE-2007-4783 CVE-2007-4840 CVE-2007-5898 CVE-2007-5899 CVE-2007-5900 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 20, 2007 | Updated: | January 18, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The php5 package contains multiple vulnerabilities, the most serious of which involve several Denial of Service attacks (application crashes and temporary application hangs). It is not currently known that these vulnerabilities can be exploited to execute malicious code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php-pear-MDB2: URL injection
| Package(s): | php-pear-MDB2-Driver-mysql | CVE #(s): | CVE-2007-5934 | ||||||||||||
| Created: | November 16, 2007 | Updated: | December 10, 2007 | ||||||||||||
| Description: | The PEAR MDB2 in versions prior to 2.5.0a1 can interpret a request to store a URL string as a request to retrieve and store the contents of the URL. This can allow remote attackers to obtain information by inserting a URL in a form field in an MDB2 application. | ||||||||||||||
| Alerts: |
| ||||||||||||||
pioneers: denial of service
| Package(s): | pioneers | CVE #(s): | CVE-2007-5933 | ||||||||
| Created: | November 15, 2007 | Updated: | November 30, 2007 | ||||||||
| Description: | Bas Wijnen discovered a vulnerability in the Pioneers server. Sessions objects may be freed while in use, allowing unauthorized memory access. A remote attacker can use this to cause a denial of service. | ||||||||||
| Alerts: |
| ||||||||||
rails: multiple vulnerabilities
| Package(s): | rails | CVE #(s): | CVE-2007-5380 CVE-2007-3227 CVE-2007-5379 | ||||||||||||||||
| Created: | November 15, 2007 | Updated: | December 21, 2009 | ||||||||||||||||
| Description: | Ruby on Rails has the following vulnerabilities:
ActiveResource does not properly sanitize filenames in the Hash.from_xml() function.
The session_id can be set from the URL from the session management. The to_json() function does not properly sanitize input before it is returned to the user. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
samba: buffer overflow
| Package(s): | samba | CVE #(s): | CVE-2007-5398 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 15, 2007 | Updated: | December 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Samba's mechanism for creating NetBIOS replies is vulnerable to a buffer overflow. Samba servers that are configured to run as a WINS server can be crashed by a remote unauthenticated user, execution of arbitrary code may also be possible. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
samba: buffer overflow
| Package(s): | samba | CVE #(s): | CVE-2007-4572 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 15, 2007 | Updated: | December 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Samba user authentication is vulnerable to a heap-based buffer overflow. Remote unauthenticated users can use this to crash the Samba server and cause a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
teTeX: multiple vulnerabilities
| Package(s): | tetex | CVE #(s): | CVE-2007-5937 CVE-2007-5936 CVE-2007-5935 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 19, 2007 | Updated: | May 10, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Gentoo advisory: Joachim Schrod discovered several buffer overflow vulnerabilities and an insecure temporary file creation in the "dvilj" application that is used by dvips to convert DVI files to printer formats (CVE-2007-5937, CVE-2007-5936). Bastien Roucaries reported that the "dvips" application is vulnerable to two stack-based buffer overflows when processing DVI documents with long \href{} URIs (CVE-2007-5935). teTeX also includes code from Xpdf that is vulnerable to a memory corruption and two heap-based buffer overflows (GLSA 200711-22); and it contains code from T1Lib that is vulnerable to a buffer overflow when processing an overly long font filename (GLSA 200710-12). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
tomcat: arbitrary file disclosure via path traversal
| Package(s): | tomcat5 | CVE #(s): | CVE-2007-5461 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 19, 2007 | Updated: | February 17, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
VMware: unspecified vulnerability
| Package(s): | VMware | CVE #(s): | CVE-2007-5617 | ||||
| Created: | November 19, 2007 | Updated: | November 21, 2007 | ||||
| Description: | From the CVE entry: Unspecified vulnerability in VMware Player 1.0.x before 1.0.5 and 2.0 before 2.0.1, and Workstation 5.x before 5.5.5 and 6.x before 6.0.1, prevents it from launching, which has unspecified impact, related to untrusted virtual machine images. | ||||||
| Alerts: |
| ||||||
vmware-player-kernel: several vulnerabilities
| Package(s): | linux-restricted-modules-2.6.17/20, vmware-player-kernel-2.6.15 | CVE #(s): | CVE-2007-0061 CVE-2007-0062 CVE-2007-0063 CVE-2007-4496 CVE-2007-4497 | ||||||||||||||||||||
| Created: | November 16, 2007 | Updated: | March 13, 2009 | ||||||||||||||||||||
| Description: | Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare Player. Attackers with administrative privileges in a guest operating system could cause a denial of service or possibly execute arbitrary code on the host operating system. (CVE-2007-4496, CVE-2007-4497) | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>