LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Secrecy and the DNS flaw

By Jake Edge
July 9, 2008

By now, most folks will have seen reports of the design flaw discovered in DNS as it has seen fairly widespread coverage, even in the non-technical press. It is rare to see such a coordinated disclosure and security update amongst that many of the big players in the computer industry. While fixes abound, the actual problem has yet to be disclosed, which has both positives and negatives.

Responsible disclosure policies dictate that vulnerabilities be kept secret until all affected vendors can create an update. Because this flaw is in the design of DNS, most implementations were affected. This still doesn't quite explain the roughly six months between the discovery of the problem and the release of the fix. Evidently it took a meeting of the minds at the Microsoft campus in March to decide upon the right course of action. Once the fixes were done, presumably they were released on the next "patch Tuesday"—Microsoft's monthly security update day.

Normally, once fixes are available, information about the vulnerability is released. But, for a number of reasons, that has not happened in this case. One of the main reasons is that DNS is an essential internet service and it will take time for affected users to patch their systems. In addition, there have been no reports of this flaw being exploited "in the wild", reducing the pressure to divulge it.

Security researcher Dan Kaminsky discovered the flaw and he has yet another, "blatantly selfish" reason for keeping it quiet as he would like to be able to announce it at Black Hat in Las Vegas in early August:

While I'm out there, trying to get all these bugs scrubbed — old and new — please, keep the speculation off the @public forums and IRC channels. We're a curious lot, and we want to know how things break. But the public needs at least a chance to deploy this fix, and from a blatantly selfish perspective, I'd kind of like my thunder not to be completely stolen in Vegas.

None of these seem like horrible reasons to keep the vulnerability quiet for a time (roughly 30 days), but they do leave some DNS implementations and worried administrators without the information they need to evaluate the situation. Administrators do not know what traffic patterns or other symptoms to look for to determine if exploits are being attempted. Smaller, less prominent DNS implementations were not included in the collaboration, thus they don't have enough information to decide whether they are vulnerable or not.

A perfect example is Dnsmasq, a lightweight DNS server for smaller networks. Dnsmasq is often used in embedded Linux distributions targeted for home wireless routers. Simon Kelley, Dnsmasq developer, was asked about the vulnerability; his response speaks volumes:

I wasn't contacted in advance about this, and no patch for dnsmasq has been released. Since the exact nature of the new vulnerability has not (as far as I know) been announced, I don't know if dnsmasq is vulnerable.

Kelley has since released a patched version, but it is still unknown whether it is needed or, really, if it even fixes the problem. It is difficult to know for sure that a security hole has been closed if information about the hole is not available. This points to the problems that can come from withholding vulnerability information.

Based on the patches and some information from Kaminsky and others, it is clear that this is a cache poisoning vulnerability. Since source port randomization is the change that was applied to alleviate, but not eliminate, the flaw, we can surmise that Kaminsky found a way to reduce the number of spoofed replies that need to be sent to something tractable. According Internet Systems Consortium, developers of the BIND DNS server, the only true solution is DNSSEC, which implies that the current fixes only make cache poisoning less likely, not impossible.

Source port randomization is a technique that has been advocated by Daniel J. Bernstein (i.e. djb) for many years. He implemented it in his djbdns name server long ago. Essentially, it chooses a random source UDP port for each query that the name server makes, which has the effect of increasing the randomness that an attacker needs to be able to predict before being able to poison the cache.

While the market share of Dnsmasq may be miniscule, there are certainly other DNS implementations that are also concerned. In addition, we are relying on those who are "in the know" to be on the lookout for suspicious traffic that might indicate the vulnerability being exploited. Kaminsky is certainly under no obligation to reveal anything, but one wonders if the safest course would have been for him to provide details now, even at the expense of his "thunder".

Comments (15 posted)

Brief items

Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com)

Dan Kaminsky has found a flaw in the design of DNS that can allow cache poisoning as an article at Securosis.com details. This has lead to a CERT advisory as well as a coordinated release of patched DNS servers from all affected vendors. Evidently source port randomization is helpful in alleviating the problem. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible." That last claim seems rather strong, time will tell, but it makes sense to be prepared to upgrade affected servers as soon as distributions make them available.

Comments (28 posted)

Mozilla Foundation developing a model for a security metric (heise online)

An article at heise online describes Mozilla's new security metrics project, which is an attempt to measure the relative security of Firefox. "One of the main factors cited is how long Firefox users are exposed to a threat while a hole remains unpatched. The developers say they want to use the security metric derived from the results to identify any problematic stage in the development and patch process."

Comments (none posted)

New vulnerabilities

bind9: DNS cache poisoning

Package(s):bind9 CVE #(s):CVE-2008-1447
Created:July 8, 2008 Updated:March 16, 2010
Description: From the Debian advisory: Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.
Alerts:
rPath rPSA-2010-0018-1 2010-03-15
Fedora FEDORA-2009-1069 2009-01-29
Gentoo 200901-03 2009-01-11
Fedora FEDORA-2009-0350 2009-01-14
Gentoo 200812-17 2008-12-16
Slackware SSA:2008-334-01 2008-12-01
Ubuntu USN-651-1 2008-10-10
Debian DSA-1619-2 2008-09-22
Gentoo 200809-02 2008-09-04
SuSE SUSE-SR:2008:017 2008-08-29
SuSE SUSE-SA:2008:041 2008-08-14
Debian DSA-1617-1 2008-07-25
Red Hat RHSA-2008:0789-01 2008-08-11
Debian DSA-1623-1 2008-07-31
Slackware SSA:2008-205-01 2008-07-24
rPath rPSA-2008-0231-1 2008-07-19
rPath rPSA-2008-0230-1 2008-07-18
Slackware SSA:2008-191-02 2008-07-10
Mandriva MDVSA-2008:139 2007-07-09
Fedora FEDORA-2008-6281 2008-07-09
Ubuntu USN-622-1 2008-07-08
CentOS CESA-2008:0533 2008-07-08
CentOS CESA-2008:0533 2008-07-09
Debian DSA-1604-1 2008-07-08
Debian DSA-1603-1 2008-07-08
Debian DSA-1619-1 2008-07-27
Ubuntu USN-627-1 2008-07-22
Gentoo 200807-08 2008-07-11
SuSE SUSE-SA:2008:033 2008-07-11
Fedora FEDORA-2008-6256 2008-07-09
Debian DSA-1605-1 2008-07-08
CentOS CESA-2008:0533 2008-07-09
Red Hat RHSA-2008:0533-01 2008-07-09
Gentoo 201209-25 2012-09-29

Comments (none posted)

glib2: buffer overflow

Package(s):glib2 CVE #(s):CVE-2008-2371
Created:July 3, 2008 Updated:April 9, 2010
Description: The glib2 library has a heap-based overflow that is caused by incorrect option handling in pcre.
Alerts:
Ubuntu USN-624-2 2010-04-09
Mandriva MDVSA-2009:023 2009-01-21
Gentoo 200811-05 2008-11-16
rPath rPSA-2008-0305-1 2008-10-27
Ubuntu USN-628-1 2008-07-23
Mandriva MDVSA-2008:147 2007-07-15
Ubuntu USN-624-1 2008-07-15
Slackware SSA:2008-210-09 2008-07-29
Gentoo 200807-03 2008-07-07
Fedora FEDORA-2008-6110 2008-07-06
Fedora FEDORA-2008-6111 2008-07-06
Debian DSA-1602-1 2008-07-05
Fedora FEDORA-2008-6048 2008-07-03
SuSE SUSE-SR:2008:014 2008-07-04
Fedora FEDORA-2008-6025 2008-07-03

Comments (none posted)

jetty: multiple vulnerabilities

Package(s):jetty CVE #(s):CVE-2007-5615 CVE-2007-5614 CVE-2007-5613
Created:July 7, 2008 Updated:February 17, 2009
Description:

From the Red Hat bugzilla:

For CVE-2007-5613: "Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies."

For CVE-2007-5614: "Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors."

For CVE-2007-5615: "CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors."

Alerts:
SuSE SUSE-SR:2009:004 2009-02-17
Fedora FEDORA-2008-6141 2008-07-06
Fedora FEDORA-2008-6164 2008-07-06

Comments (none posted)

linuxdcpp: denial of service

Package(s):linuxdcpp CVE #(s):CVE-2008-2953 CVE-2008-2954
Created:July 3, 2008 Updated:December 9, 2008
Description: From the Red Hat bug report:

CVE-2008-2953: Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via "partial file list requests" that trigger a NULL pointer dereference.

CVE-2008-2954: client/NmdcHub.cpp in Linux DC++ (linuxdcpp) before 0.707 allows remote attackers to cause a denial of service (crash) via an empty private message, which triggers an out-of-bounds read.

Alerts:
Mandriva MDVSA-2008:236-1 2008-12-08
Mandriva MDVSA-2008:236 2008-12-03
Fedora FEDORA-2008-6018 2008-07-03
Fedora FEDORA-2008-6038 2008-07-03

Comments (none posted)

mercurial: unauthorized access

Package(s):mercurial CVE #(s):CVE-2008-2942
Created:July 3, 2008 Updated:July 18, 2008
Description: From the National Vulnerability Database: Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.
Alerts:
SuSE SUSE-SR:2008:015 2008-07-18
Gentoo 200807-09 2008-07-15
rPath rPSA-2008-0211-1 2008-07-03

Comments (none posted)

openldap: denial of service

Package(s):openldap CVE #(s):CVE-2008-2952
Created:July 3, 2008 Updated:October 17, 2008
Description: From the National Vulnerability Database: liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams, which triggers an assertion error.
Alerts:
SuSE SUSE-SR:2008:021 2008-10-17
Debian DSA-1650-1 2008-10-12
Gentoo 200808-09 2008-08-08
rPath rPSA-2008-0249-1 2008-08-11
Ubuntu USN-634-1 2008-08-01
Mandriva MDVSA-2008:144 2007-07-11
CentOS CESA-2008:0583 2008-07-09
Red Hat RHSA-2008:0583-01 2008-07-09
Fedora FEDORA-2008-6029 2008-07-03
Fedora FEDORA-2008-6062 2008-07-03

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2007-1649 CVE-2008-2107 CVE-2008-2108 CVE-2008-2829
Created:July 4, 2008 Updated:June 1, 2009
Description: From the CVE entries:

PHP 5.2.1 allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:, which does not properly track the number of input bytes being processed. (CVE-2007-1649)

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed. (CVE-2008-2107)

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions. (CVE-2008-2108)

php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message. (CVE-2008-2829)

Alerts:
Fedora FEDORA-2009-3768 2009-04-21
Fedora FEDORA-2009-3848 2009-04-21
Debian DSA-1789-1 2009-05-04
rPath rPSA-2009-0035-1 2009-03-02
SuSE SUSE-SR:2008:027 2008-12-09
Slackware SSA:2008-339-01 2008-12-05
Gentoo 200811-05 2008-11-16
Ubuntu USN-628-1 2008-07-23
CentOS CESA-2008:0545 2008-07-16
CentOS CESA-2008:0544 2008-07-16
Red Hat RHSA-2008:0545-01 2008-07-16
Red Hat RHSA-2008:0546-01 2008-07-16
Red Hat RHSA-2008:0544-01 2008-07-16
Red Hat RHSA-2008:0582-01 2008-07-22
Mandriva MDVSA-2008:130 2008-07-03
Mandriva MDVSA-2008:129 2008-07-03
Mandriva MDVSA-2008:128 2008-07-03
Mandriva MDVSA-2008:127 2008-07-03
Mandriva MDVSA-2008:125 2008-07-03
Mandriva MDVSA-2008:126 2007-07-03

Comments (none posted)

phpMyAdmin: cross-site scripting

Package(s):phpMyAdmin CVE #(s):CVE-2008-2960
Created:July 7, 2008 Updated:February 2, 2009
Description:

From the NVD Entry:

Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/.

Alerts:
SuSE SUSE-SR:2009:003 2009-02-02
Mandriva MDVSA-2008:131 2008-07-04

Comments (none posted)

pidgin: buffer overflow

Package(s):Pidgin CVE #(s):CVE-2008-2927
Created:July 9, 2008 Updated:December 7, 2009
Description: The MSN protocol handler in pidgin contains an integer overflow vulnerability.
Alerts:
Mandriva MDVSA-2009:321 2009-12-06
Debian DSA-1870-1 2009-08-19
Mandriva MDVSA-2009:173 2009-07-29
Mandriva MDVSA-2009:147 2009-06-30
Mandriva MDVSA-2009:140 2009-06-25
Mandriva MDVSA-2009:127 2009-06-03
Fedora FEDORA-2009-5597 2009-05-28
Fedora FEDORA-2009-5552 2009-05-28
Fedora FEDORA-2009-5583 2009-05-28
Gentoo 200905-07 2009-05-25
Debian DSA-1805-1 2009-05-22
CentOS CESA-2009:1060 2009-05-22
Red Hat RHSA-2009:1060-02 2009-05-22
Red Hat RHSA-2009:1059-02 2009-05-22
Gentoo 200901-13 2009-01-20
Ubuntu USN-675-2 2008-11-24
Ubuntu USN-675-1 2008-11-24
rPath rPSA-2008-0246-1 2008-08-05
Debian DSA-1610-1 2008-07-15
Mandriva MDVSA-2008:143 2008-07-10
CentOS CESA-2008:0584 2008-07-09
CentOS CESA-2008:0584 2008-07-09
Red Hat RHSA-2008:0584-01 2008-07-09

Comments (none posted)

poppler: memory management bug

Package(s):poppler CVE #(s):CVE-2008-2950
Created:July 9, 2008 Updated:September 12, 2008
Description: Poppler (prior to version 0.6.3-r1) contains "a memory management issue" which can be exploited (via a specially crafted PDF file) to run arbitrary code.
Alerts:
Fedora FEDORA-2008-7012 2008-09-11
Fedora FEDORA-2008-7104 2008-08-07
Mandriva MDVSA-2008:146 2008-07-15
Gentoo 200807-04 2008-07-08
Ubuntu USN-631-1 2008-07-28
SuSE SUSE-SR:2008:015 2008-07-18
rPath rPSA-2008-0223-1 2008-07-09
Debian DSA-1606-1 2008-07-09

Comments (none posted)

ruby: directory traversal vulnerability

Package(s):ruby CVE #(s):CVE-2008-1891
Created:July 3, 2008 Updated:October 10, 2008
Description: From the National Vulnerability Database: Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option.
Alerts:
SuSE SUSE-SR:2008:017 2008-08-29
Mandriva MDVSA-2008:140 2008-07-09
Mandriva MDVSA-2008:141 2007-07-09
Fedora FEDORA-2008-6094 2008-07-04
Fedora FEDORA-2008-6033 2008-07-03

Comments (none posted)

ruby: integer overflow

Package(s):ruby CVE #(s):CVE-2008-2376
Created:July 3, 2008 Updated:December 17, 2008
Description: Ruby has an integer overflow vulnerability in in the rb_ary_fill() function.
Alerts:
Gentoo 200812-17 2008-12-16
Ubuntu USN-651-1 2008-10-10
Debian DSA-1612-1 2008-07-21
Debian DSA-1618-1 2008-07-26
CentOS CESA-2008:0561 2008-07-14
Red Hat RHSA-2008:0561-01 2008-07-14
CentOS CESA-2008:0562 2008-07-15
Mandriva MDVSA-2008:142 2008-07-09
Mandriva MDVSA-2008:141 2007-07-09
Mandriva MDVSA-2008:140 2008-07-09
rPath rPSA-2008-0218-1 2008-07-08
Fedora FEDORA-2008-6094 2008-07-04
Fedora FEDORA-2008-6033 2008-07-03

Comments (none posted)

sipp: buffer overflows

Package(s):sipp CVE #(s):CVE-2008-2085
Created:July 9, 2008 Updated:July 9, 2008
Description: The sipp tool suffers from multiple buffer overflows which enable denial of service attacks and possible remote code execution vulnerabilities.
Alerts:
Fedora FEDORA-2008-6219 2008-07-09
Fedora FEDORA-2008-6210 2008-07-09

Comments (none posted)

squid: denial of service

Package(s):squid CVE #(s):CVE-2004-0918
Created:July 3, 2008 Updated:July 9, 2008
Description: From the National Vulnerability Database: The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that causes a memory allocation error.
Alerts:
SuSE SUSE-SR:2008:014 2008-07-04
Fedora FEDORA-2008-6045 2008-07-03

Comments (none posted)

vsftpd: denial of service

Package(s):vsftpd CVE #(s):CVE-2008-2375
Created:July 9, 2008 Updated:July 30, 2008
Description: Another denial of service vulnerability based on a memory leak has been found in vsftpd; this one is exploitable by way of invalid authentication attempts.
Alerts:
Red Hat RHSA-2008:0680-01 2008-07-24
Red Hat RHSA-2008:0579-01 2008-07-24
CentOS CESA-2008:0579 2008-07-25
rPath rPSA-2008-0217-1 2008-07-08

Comments (none posted)

webkit: memory corruption

Package(s):WebKit CVE #(s):CVE-2008-2307
Created:July 9, 2008 Updated:November 24, 2008
Description: WebKit suffers from a memory corruption issue in its JavaScript array handling code, leading to denial of service problems and the potential for remote code execution.
Alerts:
Fedora FEDORA-2008-6186 2008-07-08
Fedora FEDORA-2008-6220 2008-07-09

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds