LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Debian vulnerability has widespread effects
The recent Debian advisory for OpenSSL could lead to predictable cryptographic keys being generated on affected systems. Unfortunately, because of the way keys are used, especially by ssh, this can lead to problems on systems that never installed the vulnerable library. In addition, because the OpenSSL library is used in a wide variety of services that require cryptography, a very large subset of security tools are affected. This is a wide-ranging vulnerability that affects a substantial fraction of Linux systems.
For a look at the chain of errors that led to the vulnerability, see our front page article. Here, we will concentrate on some of the details of the code, the impact of the vulnerability, and what to do about it.
An excellent tool for finding memory-related bugs, Valgrind was used on an application that used the OpenSSL library. It complained about the library using uninitialized memory in two locations in crypto/rand/md_rand.c:
247:
MD_Update(&m,buf,j);
467:
#ifndef PURIFY
MD_Update(&m,buf,j); /* purify complains */
#endif
While the lines of code look remarkably similar (modulo the pre-processor
directive), their actual effect is very different.
The first is contained in the ssleay_rand_add() function, which is normally called via the RAND_add() function. It adds the contents of the passed in buffer to the entropy pool of the pseudo-random number generator (PRNG). The other is contained in ssleay_rand_bytes(), normally called via RAND_bytes(), which is meant to return random bytes. It adds the contents of the passed in buffer—before filling it with random bytes to return—to the entropy pool as well. The major difference is that removing the latter might marginally reduce the entropy in the PRNG pool, while removing the former effectively stops any entropy from being added to the pool.
For both RAND_add() and RAND_bytes(), the buffer that gets passed in may not have been initialized. This was evidently known by the OpenSSL folks, but remained undocumented for others to trip over later. The "#ifndef PURIFY" is a clue that someone, at some point, tried to handle the same kind of problem that Valgrind was reporting for the similar, but proprietary, Purify tool. While it isn't necessarily wrong to add these uninitialized buffers to the PRNG pool, it is something that tools like Valgrind will rightly complain about. Since it is dubious whether it adds much in the way of entropy, while constituting a serious hazard for uninitiated, some kind of documentation in the code would seem mandatory.
The major response from the OpenSSL team seems to be from core team member Ben Laurie's weblog, where he has a rant entitled "Vendors Are Bad For Security". In it, and its follow-up, he makes some good points about mistakes that were made, while seeming to be unwilling for OpenSSL to take any share of the blame.
The end result is that OpenSSL would create predictable random numbers, which would then result in predictable cryptographic keys. According to the advisory:
A program that can detect some weak keys has also been released. It uses 256K hash values to detect the bad keys, which would imply 18-bits of entropy in the PRNG pool of vulnerable OpenSSL libraries. By using hashes of the keys in the detection program, the authors do not directly give away the key values that get generated, but it should not be difficult for an attacker to generate and use that list.
For affected Debian-derived systems, the cleanup is relatively straightforward, if painful. The SSLkeys page on the Debian wiki has specific information on how to remove weak keys along with how to generate new ones for a variety of services affected. Obviously, none of those steps should be taken until the OpenSSL package itself has been upgraded to a version that fixes the hole.
A bigger problem may be for those installations based on distributions that were not directly affected because they did not distribute the vulnerable OpenSSL library. Those machines may very well have weak keys installed in user accounts as ssh authorized_keys. A user who generated a key pair on some vulnerable host may have copied the public key to a host that was not vulnerable. This would allow an attacker to access the account of that user by brute forcing the key from the 256K possibilities.
Because of that danger, the Debian project suspended public key authentication on debian.org machines. In addition, all passwords were reset because of the possibility that an attacker could have captured them by decrypting the ssh traffic using one of the weak keys. One would guess that debian.org machines would have a higher incidence of weak keys, but any host that allows users to use ssh public key authentication is potentially at risk.
The weak key detector (dowkd) has some fairly serious limitations:
In order to ensure that there are no weak keys installed as public keys on other hosts, it may be necessary to remove all authorized_keys (and/or authorized_keys2) entries for all users. It may also be wise to set all passwords to something unknown. Until that is done, there still remains a chance that a weak key may allow access to an attacker. It is a unpleasant task that needs to be done for those who administer a multi-user system.
Security news
Brute-Force SSH Server Attacks Surge (InformationWeek)
InformationWeek reports on an increase in attacks against SSH servers. "The paper focuses on the vulnerability of Linux systems to brute-force SSH attacks... 'Linux systems face a unique threat of compromise from brute-force attacks against SSH servers that may be running without the knowledge of system owners/operators. Many Linux distributions install the SSH service by default, some without the benefit of an effective firewall.'"
Mozilla ships a compromised extension
From the Mozilla security blog: "The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions. Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy." Presumably this is only an issue for Windows users, but it is still scary. More information can be found in bugzilla.
Cryptographic weakness on Debian systems
The Debian project has sent out an advisory stating that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable. "It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised." The project has disabled public key logins on its internal infrastructure in response.
Tech Insight: Finding & Prioritizing Web Application Vulnerabilities (Dark Reading)
Dark Reading analyzes web application vulnerabilities with an eye towards triage—choosing the right ones to address first. "While there are many Web application vulnerabilities, they aren't all the same. Each one may represent different levels of danger to different organizations, depending on the sensitivity of the data available through the site, user access privileges, and the accessibility of other internal systems from the Web and database servers."
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2008-2103 CVE-2008-2105 | |||||||||
| Created: | May 12, 2008 | Updated: | May 14, 2008 | |||||||||
| Description: | From the Red Hat bugzilla: CVE-2008-2103: Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list. CVE-2008-2105: email_in.pl in Bugzilla 2.23.4, and later versions before 3.0, allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message, which overrides the e-mail address as normally obtained from the From e-mail header. NOTE: since From headers are easily spoofed, this only crosses privilege boundaries in environments that provide additional verification of e-mail addresses. | |||||||||||
| Alerts: |
| |||||||||||
cdf: buffer overflow
| Package(s): | cdf | CVE #(s): | CVE-2008-2080 | |||
| Created: | May 14, 2008 | Updated: | May 14, 2008 | |||
| Description: | Versions of the Common Data Format library prior to 3.2.1 suffer from a buffer overflow which could be exploitable via a specially-crafted CDF file. | |||||
| Alerts: |
| |||||
egroupware: denial of service
| Package(s): | egroupware | CVE #(s): | CVE-2008-2041 CVE-2008-1502 | |||||||||
| Created: | May 8, 2008 | Updated: | July 18, 2008 | |||||||||
| Description: | From the Gentoo alert:
A vulnerability has been reported in FCKEditor due to the way that file uploads are handled in the file editor/filemanager/upload/php/upload.php when a filename has multiple file extensions (CVE-2008-2041). Another vulnerability exists in the _bad_protocol_once() function in the file phpgwapi/inc/class.kses.inc.php, which allows remote attackers to bypass HTML filtering (CVE-2008-1502). | |||||||||||
| Alerts: |
| |||||||||||
gforge: temporary file vulnerability
| Package(s): | gforge | CVE #(s): | CVE-2008-0167 | |||
| Created: | May 14, 2008 | Updated: | May 14, 2008 | |||
| Description: | GForge opens files for writing in an insecure manner, leaving open the possibility of file overwrite attacks by a local user. | |||||
| Alerts: |
| |||||
firebird: information disclosure
| Package(s): | firebird | CVE #(s): | CVE-2008-1880 | |||
| Created: | May 9, 2008 | Updated: | May 14, 2008 | |||
| Description: | From the Gentoo advisory: Viesturs reported that the default configuration for Gentoo's init script ("/etc/conf.d/firebird") sets the "ISC_PASSWORD" environment variable when starting Firebird. It will be used when no password is supplied by a client connecting as the "SYSDBA" user. | |||||
| Alerts: |
| |||||
imagemagick: heap-based buffer overflows
| Package(s): | ImageMagick | CVE #(s): | CVE-2008-1096 CVE-2008-1097 | ||||||
| Created: | May 9, 2008 | Updated: | July 4, 2008 | ||||||
| Description: | From the Mandriva advisory: A heap-based buffer overflow vulnerability was found in how ImageMagick parsed XCF files. If ImageMagick opened a specially-crafted XCF file, it could be made to overwrite heap memory beyond the bounds of its allocated memory, potentially allowing an attacker to execute arbitrary code on the system running ImageMagick (CVE-2008-1096). Another heap-based buffer overflow vulnerability was found in how ImageMagick processed certain malformed PCX images. If ImageMagick opened a specially-crafted PCX image file, an attacker could possibly execute arbitrary code on the system running ImageMagick (CVE-2008-1097). | ||||||||
| Alerts: |
| ||||||||
inspIRCd: buffer overflow
| Package(s): | inspircd | CVE #(s): | CVE-2008-1925 | |||
| Created: | May 9, 2008 | Updated: | May 14, 2008 | |||
| Description: | From the CVE entry: Buffer overflow in InspIRCd before 1.1.18, when using the namesx and uhnames modules, allows remote attackers to cause a denial of service (daemon crash) via a large number of channel users with crafted nicknames, idents, and long hostnames. | |||||
| Alerts: |
| |||||
libid3tag: infinite loop
| Package(s): | libid3tag | CVE #(s): | CVE-2008-2109 | |||||||||||||||
| Created: | May 13, 2008 | Updated: | May 20, 2008 | |||||||||||||||
| Description: | From the CVE entry: field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
libvorbis: multiple vulnerabilities
| Package(s): | libvorbis | CVE #(s): | CVE-2008-1419 CVE-2008-1420 CVE-2008-1423 | ||||||||||||||||||||||||||||||
| Created: | May 14, 2008 | Updated: | June 24, 2008 | ||||||||||||||||||||||||||||||
| Description: | The libvorbis library contains several vulnerabilities exploitable by way of a specially-crafted Ogg file. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
licq: denial of service
| Package(s): | licq | CVE #(s): | CVE-2008-1996 | |||||||||
| Created: | May 13, 2008 | Updated: | May 15, 2008 | |||||||||
| Description: | From the CVE entry: licq before 1.3.6 allows remote attackers to cause a denial of service (file-descriptor exhaustion and application crash) via a large number of connections. | |||||||||||
| Alerts: |
| |||||||||||
ltsp: multiple vulnerabilities
| Package(s): | ltsp | CVE #(s): | ||||
| Created: | May 9, 2008 | Updated: | May 14, 2008 | |||
| Description: | The Linux Terminal Server Project ships copies of packages with vulnerabilities. Many of these vulnerabilities have likely been fixed by your distribution provider in the individual packages, but not in the ltsp bundled copies. | |||||
| Alerts: |
| |||||
moinmoin: privilege escalation
| Package(s): | moinmoin | CVE #(s): | CVE-2008-1937 | |||
| Created: | May 12, 2008 | Updated: | May 14, 2008 | |||
| Description: | From the Gentoo advisory: It has been reported that the user form processing in the file userform.py does not properly manage users when using Access Control Lists or a non-empty superusers list. A remote attacker could exploit this vulnerability to gain superuser privileges on the application. | |||||
| Alerts: |
| |||||
nagios: cross-site scripting
| Package(s): | nagios | CVE #(s): | CVE-2007-5803 CVE-2008-1360 | |||
| Created: | May 9, 2008 | Updated: | May 14, 2008 | |||
| Description: | From the CVE entry: Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624. | |||||
| Alerts: |
| |||||
openssl: predictable random number generator
| Package(s): | openssl | CVE #(s): | CVE-2008-0166 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | May 13, 2008 | Updated: | June 19, 2008 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | This Debian advisory states that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable. See also this brief article for more information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
php5: multiple vulnerabilities
| Package(s): | php5 | CVE #(s): | CVE-2007-3806 CVE-2008-1384 CVE-2008-2050 CVE-2008-2051 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 12, 2008 | Updated: | July 16, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2007-3806: The glob function allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter. CVE-2008-1384: Integer overflow allows context-dependent attackers to cause a denial of service and possibly have other impact via a printf format parameter with a large width specifier. CVE-2008-2050: Stack-based buffer overflow in the FastCGI SAPI. CVE-2008-2051: The escapeshellcmd API function could be attacked via incomplete multibyte chars. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
php: PATH_TRANSLATED miscalculation
| Package(s): | php | CVE #(s): | CVE-2008-0599 | |||||||||||||||||||||
| Created: | May 8, 2008 | Updated: | July 4, 2008 | |||||||||||||||||||||
| Description: | From the National Vulnerability Database: CVE-2008-0599: cgi_main.c in PHP before 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
rdesktop: multiple vulnerabilities
| Package(s): | rdesktop | CVE #(s): | CVE-2008-1801 CVE-2008-1802 CVE-2008-1803 | |||||||||||||||||||||
| Created: | May 12, 2008 | Updated: | June 16, 2008 | |||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2008-1801: Remote exploitation of an integer underflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. CVE-2008-1802: Remote exploitation of a BSS overflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. CVE-2008-1803: Remote exploitation of an integer signedness vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
sarg: stack buffer overflows
| Package(s): | sarg | CVE #(s): | CVE-2008-1922 | |||
| Created: | May 9, 2008 | Updated: | May 14, 2008 | |||
| Description: | Multiple stack buffer overflows have been fixed in the Squid logfile analyzer sarg. | |||||
| Alerts: |
| |||||
sipp: arbitrary code execution
| Package(s): | sipp | CVE #(s): | CVE-2008-1959 | ||||||
| Created: | May 12, 2008 | Updated: | May 14, 2008 | ||||||
| Description: | From the Fedora advisory: Stack-based buffer overflow in the get_remote_video_port_media function in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted SIP message. | ||||||||
| Alerts: |
| ||||||||
X11 terms: privilege escalation
| Package(s): | aterm | CVE #(s): | CVE-2008-1142 CVE-2008-1692 | |||
| Created: | May 8, 2008 | Updated: | May 14, 2008 | |||
| Description: | Privilege escalation vulnerabilities have been found in the following
X11 terminal emulators: aterm, Eterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm.
From the Gentoo alert: Bernhard R. Link discovered that Eterm opens a terminal on :0 if the "-display" option is not specified and the DISPLAY environment variable is not set. Further research by the Gentoo Security Team has shown that aterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm are also affected. | |||||
| Alerts: |
| |||||
xen: multiple vulnerabilities
| Package(s): | xen | CVE #(s): | CVE-2007-5730 CVE-2008-1943 CVE-2008-1944 CVE-2008-2004 | |||||||||
| Created: | May 13, 2008 | Updated: | June 13, 2008 | |||||||||
| Description: | From the Red Hat advisory:
Tavis Ormandy found that QEMU did not perform adequate sanity-checking of data received via the "net socket listen" option. A malicious local administrator of a guest domain could trigger this flaw to potentially execute arbitrary code outside of the domain. (CVE-2007-5730) Markus Armbruster discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the frontend's framebuffer description. This could allow a malicious user to cause a denial of service, or to use a specially crafted frontend to compromise the privileged domain (Dom0). (CVE-2008-1943) Daniel P. Berrange discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the format of messages serving to update the contents of the framebuffer. This could allow a malicious user to cause a denial of service, or compromise the privileged domain (Dom0). (CVE-2008-1944) Chris Wright discovered a security vulnerability in the QEMU block format auto-detection, when running fully-virtualized guests. Such fully-virtualized guests, with a raw formatted disk image, were able to write a header to that disk image describing another format. This could allow such guests to read arbitrary files in their hypervisor's host. (CVE-2008-2004) | |||||||||||
| Alerts: |
| |||||||||||
zoneminder: arbitrary code execution
| Package(s): | zoneminder | CVE #(s): | CVE-2008-1381 | |||||||||
| Created: | May 12, 2008 | Updated: | May 14, 2008 | |||||||||
| Description: | From the Red Hat bugzilla: ZoneMinder prior to version 1.23.3 contains unescaped PHP exec() calls which can allow an authorised remote user the ability to run arbitrary code as the Apache httpd user. | |||||||||||
| Alerts: |
| |||||||||||
Page editor: Jake Edge
Next page: Kernel development>>