By Jake Edge
May 14, 2008
The recent
Debian advisory for OpenSSL could lead to predictable cryptographic
keys being generated on affected systems. Unfortunately, because of the
way keys are used, especially by ssh, this can lead to problems on
systems that never installed the vulnerable library. In addition, because the
OpenSSL library is used in a wide variety
of services that require cryptography, a very large subset of security
tools are affected. This is a wide-ranging vulnerability that affects
a substantial fraction of Linux systems.
For a look at the chain of errors that led to the vulnerability, see
our front page article.
Here, we will concentrate on some of the details of the code, the impact of
the vulnerability, and what to do about it.
An excellent tool for finding memory-related bugs, Valgrind was used on an application that
used the OpenSSL library. It complained about the library using
uninitialized memory in two locations in crypto/rand/md_rand.c:
247:
MD_Update(&m,buf,j);
467:
#ifndef PURIFY
MD_Update(&m,buf,j); /* purify complains */
#endif
While the lines of code look remarkably similar (modulo the pre-processor
directive), their actual effect is very different.
The first is contained in the ssleay_rand_add() function, which is
normally called via the RAND_add() function. It adds the contents
of the passed in buffer to the entropy pool of the pseudo-random number
generator (PRNG). The other is contained in ssleay_rand_bytes(),
normally called via RAND_bytes(),
which is meant to return random bytes. It adds the contents
of the passed in buffer—before filling it with random bytes to return—to the entropy pool as well. The major difference
is that removing the latter might marginally reduce the entropy in the PRNG
pool, while removing the former effectively stops any entropy from being
added to the pool.
For both RAND_add() and RAND_bytes(), the buffer that
gets passed in may not have been initialized. This was evidently known by
the OpenSSL folks, but remained undocumented for others to trip over
later. The "#ifndef PURIFY" is a clue that someone, at some
point, tried to handle the same kind of problem that Valgrind was reporting
for the similar, but proprietary, Purify tool. While it isn't necessarily
wrong to add these uninitialized buffers to the PRNG pool, it is
something that tools like Valgrind will rightly complain about. Since it
is dubious whether it adds much in the way of entropy, while constituting a
serious hazard for uninitiated, some kind of documentation in the code
would seem mandatory.
The major response from the OpenSSL team seems to be from core team member Ben Laurie's
weblog, where he has a rant entitled "Vendors Are
Bad For Security". In it, and its follow-up, he makes some good points
about mistakes that were made, while seeming to be unwilling for OpenSSL to take any
share of the blame.
The end result is that OpenSSL would create predictable random numbers,
which would then result in predictable cryptographic keys. According to
the advisory:
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.
A program
that can detect some weak keys has also been released. It uses
256K hash values to detect the bad keys, which would imply 18-bits of
entropy in the PRNG pool of vulnerable OpenSSL libraries. By using hashes
of the keys in the detection program, the authors do not directly give away the key
values that get generated, but it should not be difficult for an attacker
to generate and use that list.
For affected Debian-derived systems, the cleanup is relatively
straightforward, if painful. The SSLkeys page on the Debian wiki
has specific information on how to remove weak keys along with how to
generate new ones for a variety of services affected. Obviously, none of those steps should be taken until
the OpenSSL package itself has been upgraded to a version that fixes the hole.
A bigger problem may be for those installations based on distributions that
were not directly affected because they did not distribute the vulnerable
OpenSSL library. Those machines may very well have weak keys installed in
user accounts as ssh authorized_keys. A user who generated a key
pair on some vulnerable host may have copied the public key to a host that
was not vulnerable.
This would allow an
attacker to access the account of that user by brute forcing the key from
the 256K possibilities.
Because of that danger, the
Debian project suspended
public key authentication on debian.org machines. In addition, all
passwords were reset because of the possibility that an attacker could have
captured them by decrypting the ssh traffic using one of the weak keys.
One would guess that debian.org machines would have a higher incidence of
weak keys, but any host that allows users to use ssh public key
authentication is potentially at risk.
The weak key detector (dowkd) has some fairly serious limitations:
dowkd currently handles OpenSSH host and user keys and OpenVPN shared
secrets, as long as they use default key lengths and have been created
on a little-endian architecture (such as i386 or amd64). Note that
the blacklist by dowkd may be incomplete; it is only intended as a
quick check.
In order to ensure that there are no weak keys installed as public keys on
other hosts, it may be necessary to remove all authorized_keys
(and/or authorized_keys2) entries for all users. It may also be
wise to set all passwords to something unknown. Until that is done, there
still remains a chance that a weak key may allow access to an attacker. It
is a unpleasant task that needs to be done for those who administer a multi-user system.
Comments (31 posted)
Brief items
InformationWeek
reports
on an increase in attacks against SSH servers. "
The paper
focuses on the vulnerability of Linux systems to brute-force SSH
attacks... 'Linux systems face a unique threat of compromise from
brute-force attacks against SSH servers that may be running without the
knowledge of system owners/operators. Many Linux distributions install the
SSH service by default, some without the benefit of an effective
firewall.'"
Comments (37 posted)
From the Mozilla security blog: "
The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions.
Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy." Presumably this is only an issue for Windows users, but it is still scary. More information can be found in
bugzilla.
Comments (6 posted)
The Debian project has sent out
an
advisory stating that, due to a Debian-specific modification to the
openssl package, cryptographic keys generated on affected systems may be
guessable. "
It is strongly recommended that all cryptographic key
material which has been generated by OpenSSL versions starting with
0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA
keys ever used on affected Debian systems for signing or authentication
purposes should be considered compromised." The project has
disabled public key logins on its internal
infrastructure in response.
Comments (111 posted)
Dark Reading
analyzes web application vulnerabilities with an eye towards triage—choosing the right ones to address first. "
While there are many Web application vulnerabilities, they aren't all the same. Each one may represent different levels of danger to different organizations, depending on the sensitivity of the data available through the site, user access privileges, and the accessibility of other internal systems from the Web and database servers."
Comments (none posted)
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2008-2103
CVE-2008-2105
|
| Created: | May 12, 2008 |
Updated: | May 14, 2008 |
| Description: |
From the Red Hat bugzilla:
CVE-2008-2103: Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list.
CVE-2008-2105: email_in.pl in Bugzilla 2.23.4, and later versions before 3.0, allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message, which overrides the e-mail address as normally obtained from the From e-mail header. NOTE: since From headers are easily spoofed, this only crosses privilege boundaries in environments that provide additional verification of e-mail addresses.
|
| Alerts: |
|
Comments (none posted)
cdf: buffer overflow
| Package(s): | cdf |
CVE #(s): | CVE-2008-2080
|
| Created: | May 14, 2008 |
Updated: | May 14, 2008 |
| Description: |
Versions of the Common Data Format library prior to 3.2.1 suffer from a buffer overflow which could be exploitable via a specially-crafted CDF file. |
| Alerts: |
|
Comments (none posted)
egroupware: denial of service
| Package(s): | egroupware |
CVE #(s): | CVE-2008-2041
CVE-2008-1502
|
| Created: | May 8, 2008 |
Updated: | October 13, 2009 |
| Description: |
From the Gentoo alert:
A vulnerability has been reported in FCKEditor due to the way that file
uploads are handled in the file
editor/filemanager/upload/php/upload.php when a filename has multiple
file extensions (CVE-2008-2041). Another vulnerability exists in the
_bad_protocol_once() function in the file
phpgwapi/inc/class.kses.inc.php, which allows remote attackers to
bypass HTML filtering (CVE-2008-1502). |
| Alerts: |
|
Comments (none posted)
gforge: temporary file vulnerability
| Package(s): | gforge |
CVE #(s): | CVE-2008-0167
|
| Created: | May 14, 2008 |
Updated: | May 14, 2008 |
| Description: |
GForge opens files for writing in an insecure manner, leaving open the possibility of file overwrite attacks by a local user. |
| Alerts: |
|
Comments (none posted)
firebird: information disclosure
| Package(s): | firebird |
CVE #(s): | CVE-2008-1880
|
| Created: | May 9, 2008 |
Updated: | May 14, 2008 |
| Description: |
From the Gentoo advisory: Viesturs reported that the default configuration for Gentoo's init script ("/etc/conf.d/firebird") sets the "ISC_PASSWORD" environment variable when starting Firebird. It will be used when no password is supplied by a client connecting as the "SYSDBA" user. |
| Alerts: |
|
Comments (1 posted)
imagemagick: heap-based buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2008-1096
CVE-2008-1097
|
| Created: | May 9, 2008 |
Updated: | August 11, 2009 |
| Description: |
From the Mandriva advisory:
A heap-based buffer overflow vulnerability was found in how ImageMagick
parsed XCF files. If ImageMagick opened a specially-crafted XCF
file, it could be made to overwrite heap memory beyond the bounds
of its allocated memory, potentially allowing an attacker to execute
arbitrary code on the system running ImageMagick (CVE-2008-1096).
Another heap-based buffer overflow vulnerability was found in how
ImageMagick processed certain malformed PCX images. If ImageMagick
opened a specially-crafted PCX image file, an attacker could
possibly execute arbitrary code on the system running ImageMagick
(CVE-2008-1097). |
| Alerts: |
|
Comments (none posted)
inspIRCd: buffer overflow
| Package(s): | inspircd |
CVE #(s): | CVE-2008-1925
|
| Created: | May 9, 2008 |
Updated: | May 14, 2008 |
| Description: |
From the CVE entry: Buffer overflow in InspIRCd before 1.1.18, when using the namesx and uhnames modules, allows remote attackers to cause a denial of service (daemon crash) via a large number of channel users with crafted nicknames, idents, and long hostnames. |
| Alerts: |
|
Comments (none posted)
libid3tag: infinite loop
| Package(s): | libid3tag |
CVE #(s): | CVE-2008-2109
|
| Created: | May 13, 2008 |
Updated: | May 20, 2008 |
| Description: |
From the CVE entry: field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop. |
| Alerts: |
|
Comments (none posted)
libvorbis: multiple vulnerabilities
| Package(s): | libvorbis |
CVE #(s): | CVE-2008-1419
CVE-2008-1420
CVE-2008-1423
|
| Created: | May 14, 2008 |
Updated: | August 25, 2009 |
| Description: |
The libvorbis library contains several vulnerabilities exploitable by way of a specially-crafted Ogg file. |
| Alerts: |
|
Comments (none posted)
licq: denial of service
| Package(s): | licq |
CVE #(s): | CVE-2008-1996
|
| Created: | May 13, 2008 |
Updated: | July 31, 2008 |
| Description: |
From the CVE entry: licq before 1.3.6 allows remote attackers to cause a denial of service (file-descriptor exhaustion and application crash) via a large number of connections. |
| Alerts: |
|
Comments (none posted)
ltsp: multiple vulnerabilities
| Package(s): | ltsp |
CVE #(s): | |
| Created: | May 9, 2008 |
Updated: | May 14, 2008 |
| Description: |
The Linux Terminal Server Project ships copies of packages with
vulnerabilities. Many of these vulnerabilities have likely been fixed by
your distribution provider in the individual packages, but not in the ltsp
bundled copies. |
| Alerts: |
|
Comments (none posted)
moinmoin: privilege escalation
| Package(s): | moinmoin |
CVE #(s): | CVE-2008-1937
|
| Created: | May 12, 2008 |
Updated: | May 14, 2008 |
| Description: |
From the Gentoo advisory:
It has been reported that the user form processing in the file
userform.py does not properly manage users when using Access Control
Lists or a non-empty superusers list.
A remote attacker could exploit this vulnerability to gain superuser
privileges on the application.
|
| Alerts: |
|
Comments (none posted)
nagios: cross-site scripting
| Package(s): | nagios |
CVE #(s): | CVE-2007-5803
CVE-2008-1360
|
| Created: | May 9, 2008 |
Updated: | September 14, 2009 |
| Description: |
From the CVE entry: Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624. |
| Alerts: |
|
Comments (none posted)
openssl: predictable random number generator
| Package(s): | openssl |
CVE #(s): | CVE-2008-0166
|
| Created: | May 13, 2008 |
Updated: | June 19, 2008 |
| Description: |
This Debian advisory states that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable. See also this brief article for more information. |
| Alerts: |
|
Comments (none posted)
php5: multiple vulnerabilities
| Package(s): | php5 |
CVE #(s): | CVE-2007-3806
CVE-2008-1384
CVE-2008-2050
CVE-2008-2051
|
| Created: | May 12, 2008 |
Updated: | January 22, 2009 |
| Description: |
From the Debian advisory:
CVE-2007-3806:
The glob function allows context-dependent attackers to cause
a denial of service and possibly execute arbitrary code via
an invalid value of the flags parameter.
CVE-2008-1384:
Integer overflow allows context-dependent attackers to cause
a denial of service and possibly have other impact via a
printf format parameter with a large width specifier.
CVE-2008-2050:
Stack-based buffer overflow in the FastCGI SAPI.
CVE-2008-2051:
The escapeshellcmd API function could be attacked via
incomplete multibyte chars.
|
| Alerts: |
|
Comments (none posted)
php: PATH_TRANSLATED miscalculation
| Package(s): | php |
CVE #(s): | CVE-2008-0599
|
| Created: | May 8, 2008 |
Updated: | November 17, 2008 |
| Description: |
From the National Vulnerability Database:
CVE-2008-0599:
cgi_main.c in PHP before 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors. |
| Alerts: |
|
Comments (none posted)
rdesktop: multiple vulnerabilities
| Package(s): | rdesktop |
CVE #(s): | CVE-2008-1801
CVE-2008-1802
CVE-2008-1803
|
| Created: | May 12, 2008 |
Updated: | September 19, 2008 |
| Description: |
From the Debian advisory:
CVE-2008-1801:
Remote exploitation of an integer underflow vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.
CVE-2008-1802:
Remote exploitation of a BSS overflow vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.
CVE-2008-1803:
Remote exploitation of an integer signedness vulnerability allows
attackers to execute arbitrary code with the privileges of the
logged-in user.
|
| Alerts: |
|
Comments (none posted)
sarg: stack buffer overflows
| Package(s): | sarg |
CVE #(s): | CVE-2008-1922
|
| Created: | May 9, 2008 |
Updated: | September 8, 2010 |
| Description: |
Multiple stack buffer overflows have been fixed in the Squid logfile analyzer sarg. |
| Alerts: |
|
Comments (none posted)
sipp: arbitrary code execution
| Package(s): | sipp |
CVE #(s): | CVE-2008-1959
|
| Created: | May 12, 2008 |
Updated: | May 14, 2008 |
| Description: |
From the Fedora advisory:
Stack-based buffer overflow in the get_remote_video_port_media function in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted SIP message. |
| Alerts: |
|
Comments (none posted)
X11 terms: privilege escalation
| Package(s): | aterm |
CVE #(s): | CVE-2008-1142
CVE-2008-1692
|
| Created: | May 8, 2008 |
Updated: | October 30, 2008 |
| Description: |
Privilege escalation vulnerabilities have been found in the following
X11 terminal emulators: aterm, Eterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm.
From the Gentoo alert:
Bernhard R. Link discovered that Eterm opens a terminal on :0 if the
"-display" option is not specified and the DISPLAY environment variable
is not set. Further research by the Gentoo Security Team has shown that
aterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm are also
affected. |
| Alerts: |
|
Comments (none posted)
xen: multiple vulnerabilities
| Package(s): | xen |
CVE #(s): | CVE-2007-5730
CVE-2008-1943
CVE-2008-1944
CVE-2008-2004
|
| Created: | May 13, 2008 |
Updated: | May 13, 2009 |
| Description: |
From the Red Hat advisory:
Tavis Ormandy found that QEMU did not perform adequate sanity-checking of
data received via the "net socket listen" option. A malicious local
administrator of a guest domain could trigger this flaw to potentially
execute arbitrary code outside of the domain. (CVE-2007-5730)
Markus Armbruster discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the frontend's framebuffer
description. This could allow a malicious user to cause a denial of
service, or to use a specially crafted frontend to compromise the
privileged domain (Dom0). (CVE-2008-1943)
Daniel P. Berrange discovered that the hypervisor's para-virtualized
framebuffer (PVFB) backend failed to validate the format of messages
serving to update the contents of the framebuffer. This could allow a
malicious user to cause a denial of service, or compromise the privileged
domain (Dom0). (CVE-2008-1944)
Chris Wright discovered a security vulnerability in the QEMU block format
auto-detection, when running fully-virtualized guests. Such
fully-virtualized guests, with a raw formatted disk image, were able
to write a header to that disk image describing another format. This could
allow such guests to read arbitrary files in their hypervisor's host.
(CVE-2008-2004)
|
| Alerts: |
|
Comments (none posted)
zoneminder: arbitrary code execution
| Package(s): | zoneminder |
CVE #(s): | CVE-2008-1381
|
| Created: | May 12, 2008 |
Updated: | May 14, 2008 |
| Description: |
From the Red Hat bugzilla:
ZoneMinder prior to version 1.23.3 contains unescaped PHP exec() calls which can
allow an authorised remote user the ability to run arbitrary code as the Apache
httpd user.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
