By Jake Edge
September 17, 2008
Theoretical security weaknesses have a tendency to move from the realm of
theory to that of practice over time. Sometimes it is the result of more
compute power being applied or better algorithms being developed, but a
weakness is certainly not going to get stronger. So when Kevin Neff
started discussing fixing a weakness in
OpenSSH on the openbsd-misc mailing list, the folks writing it off as
"theoretical" may have been
jumping the gun.
When it is in interactive mode—a user typing into a terminal session
for example—ssh sends each key pressed by the user in a
separate packet. By observing the timing between packets, an observer may
be able to determine something about what was typed just by using traffic
analysis, without
attempting to break the encryption. Researchers found that the
inter-packet timing correlated well with the inter-keystroke timing, so
that using
statistical techniques they were able to reduce the search space for
cracking a password by a factor of 50.
This weakness was outlined in a 2001 paper entitled Timing analysis
of keystrokes and timing attacks on SSH" [PDF] which looked
specifically at the timing-based attack:
In this paper we study users' keyboard dynamics and
show that the timing information of keystrokes does leak
information about the key sequences typed. Through
more detailed analysis we show that the timing information leaks about 1
bit of information about the content
per keystroke pair. Because the entropy of passwords
is only 4-8 bits per character, this 1 bit per keystroke
pair information can reveal significant information about
the content typed.
The paper looked at the now-deprecated SSH1 protocol, which led some to conclude that it substantially invalidated the
weakness. Damien Miller pointed
out that it was likely to still be valid:
There is no reason to believe that keystroke timing attacks will be
impossible against protocol 2 where they work against protocol 1.
They might just be a little more tricky.
Pointing at the paper and discounting it because it is ssh1 only is
sticking your head in the sand. It is usually easier to research attacks
on simpler protocols and work up to more complicated ones later.
There is a fair amount of information that can be gleaned just by looking
at the traffic generated over an encrypted session, especially if the
attacker can gather a sizable amount of it. There are fairly clear
patterns in interactive sessions that can be extracted and used
alongside the inter-keystroke timing information to potentially garner lots
of useful information. Darrin Chandler describes it this way:
The reason why I think it's a weakness is that you can gather statistics
on typing and use those to infer things. I.e., you can extract
meaningful information from the encrypted session. If you're snooping on
ssh and see a short burst of typing followed by another ssh session from
the remote machine you can guess they typed 'ssh host.example.com' by
the length of typing and the host connected to. Nice crib. Oh, after
than connect was there another short burst? Probably the password. How
many keystrokes can probably be inferred. Perhaps stats on interkey
timing can be used to make some intelligent guesses, such as the 4th
char is NOT punctuation because is followed char 3 too closely. Or
whatever.
Overall, the reception to making OpenSSH less susceptible to this kind of
analysis was positive. It is clearly a difficult attack to mount,
logistically if nothing else, but it is not impossible either. Better
timing information or analysis techniques might make it easier over time as
well
and that is enough of a reason to look at ways to fix it.
Comments (21 posted)
Brief items
We have received several reports of readers being unable to log in to
LWN.net this morning. It appears to be related to upgrading the NoScript Firefox plugin to version 1.8.1.
A new feature, called "Automatic Secure Cookie Management", appears to
interact badly with LWN's login code. Some workarounds are described in the FAQ. We
apologize for any inconvenience.
Update: Peter Palfrader reports that
whitelisting lwn.net for "unsafe" https cookies in NoScript Options ->
Advanced - HTTPS -> Cookies -> Enable Automatic Secure Cookies
Management fixes the issue.
Comments (24 posted)
New vulnerabilities
apache2: cross-site scripting
| Package(s): | apache2 |
CVE #(s): | CVE-2008-2939
|
| Created: | September 15, 2008 |
Updated: | December 5, 2008 |
| Description: |
From the Mandriva advisory:
A cross-site scripting vulnerability was found in the mod_proxy_ftp
module in Apache that allowed remote attackers to inject arbitrary
web script or HTML via wildcards in a pathname in an FTP URI
(CVE-2008-2939).
|
| Alerts: |
|
Comments (none posted)
ipa: remote password exposure
| Package(s): | ipa |
CVE #(s): | CVE-2008-3274
|
| Created: | September 11, 2008 |
Updated: | September 17, 2008 |
| Description: |
From the Red Hat alert: A flaw was found in the Red Hat Enterprise IPA installation procedure. The
master Kerberos password was set up in the LDAP server in such a way that
it was possible to retrieve the password via an anonymous LDAP connection. |
| Alerts: |
|
Comments (none posted)
kernel: integer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2008-3276
|
| Created: | September 11, 2008 |
Updated: | November 5, 2008 |
| Description: |
From the SUSE alert:
An integer overflow flaw was found in the Linux kernel
dccp_setsockopt_change() function. An attacker may leverage this
vulnerability to trigger a kernel panic on a victim's machine remotely. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux-2.6.24 |
CVE #(s): | CVE-2008-3526
CVE-2008-3534
CVE-2008-3535
CVE-2008-3792
CVE-2008-3915
|
| Created: | September 12, 2008 |
Updated: | November 3, 2008 |
| Description: |
From the Debian advisory:
CVE-2008-3526: Eugene Teo reported a missing bounds check in the SCTP subsystem. By exploiting an integer overflow in the SCTP_AUTH_KEY handling code, remote attackers may be able to cause a denial of service in the form
of a kernel panic.
CVE-2008-3534: Kel Modderman reported an issue in the tmpfs filesystem that allows local users to crash a system by triggering a kernel BUG() assertion.
CVE-2008-3535: Alexey Dobriyan discovered an off-by-one-error in the iov_iter_advance function which can be exploited by local users to crash a system, resulting in a denial of service.
CVE-2008-3792: Vlad Yasevich reported several NULL pointer reference conditions in the SCTP subsystem that can be triggered by entering sctp-auth codepaths when the AUTH feature is inactive. This may allow attackers to cause a denial of service condition via a system panic.
CVE-2008-3915: Johann Dahm and David Richter reported and issue in the nfsd subsystem that may allow remote attackers to cause a denial of service via a buffer overflow. |
| Alerts: |
|
Comments (none posted)
kolab-server: password disclosure
| Package(s): | kolab-server |
CVE #(s): | |
| Created: | September 15, 2008 |
Updated: | September 17, 2008 |
| Description: |
From the Mandriva advisory:
Gavin McCullagh of Griffith College Dublin reported an issue in Kolab
v1 where user passwords were being recorded in the Apache log files
due to Kolab using HTTP GET requests rather than HTTP POST requests.
This would allow any users with access to the Apache log files to
harvest user passwords and possibly other sensitive data.
|
| Alerts: |
|
Comments (none posted)
libxml2: denial of service
| Package(s): | libxml2 |
CVE #(s): | CVE-2003-1564
|
| Created: | September 11, 2008 |
Updated: | December 4, 2009 |
| Description: |
From the Red Hat alert:
A denial of service flaw was found in the way libxml2 processed certain
content. If an application linked against libxml2 processed malformed XML
content, it could cause the application to use an excessive amount of CPU
time and memory, and stop responding. |
| Alerts: |
|
Comments (1 posted)
libxml2: buffer overflow
| Package(s): | libxml2 |
CVE #(s): | CVE-2008-3529
|
| Created: | September 11, 2008 |
Updated: | August 11, 2009 |
| Description: |
From the Red Hat alert:
A heap-based buffer overflow flaw was found in the way libxml2 handled long
XML entity names. If an application linked against libxml2 processed
untrusted malformed XML content, it could cause the application to crash
or, possibly, execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssh: denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2008-4109
|
| Created: | September 17, 2008 |
Updated: | October 7, 2008 |
| Description: |
From the Debian advisory:
It has been discovered that the signal handler implementing the login
timeout in Debian's version of the OpenSSH server uses functions which
are not async-signal-safe, leading to a denial of service
vulnerability (CVE-2008-4109).
The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051),
but the patch backported to the version released with etch was
incorrect.
|
| Alerts: |
|
Comments (none posted)
pam_mount: arbitrary mounting of filesystems
| Package(s): | pam_mount |
CVE #(s): | |
| Created: | September 12, 2008 |
Updated: | September 17, 2008 |
| Description: |
From the Fedora advisory: A security flaw in the pam_mount's handling of
user defined volumes using the 'luserconf' option has been fixed in this
update. The vulnerability allowed users to arbitrarily mount filesystems
at arbitrary locations. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service
| Package(s): | postfix |
CVE #(s): | CVE-2008-3889
|
| Created: | September 11, 2008 |
Updated: | November 4, 2008 |
| Description: |
From the Mandriva alert:
A vulnerability in Postfix 2.4 and later was discovered, when
running on Linux kernel 2.6, where a local user could cause a denial
of service due to Postfix leaking the epoll file descriptor when
executing non-Postfix commands. |
| Alerts: |
|
Comments (none posted)
R-base: arbitrary file overwrite
| Package(s): | R-base |
CVE #(s): | CVE-2008-3931
|
| Created: | September 17, 2008 |
Updated: | September 23, 2008 |
| Description: |
From the Mandriva advisory:
A symlink vulnerability was found in the javareconf script in R that
allows local users to overwrite arbitrary files (CVE-2008-3931).
|
| Alerts: |
|
Comments (none posted)
redhat-ds-base: multiple vulnerabilities
| Package(s): | redhat-ds-base |
CVE #(s): | CVE-2008-2930
CVE-2008-3283
|
| Created: | September 11, 2008 |
Updated: | September 17, 2008 |
| Description: |
From the Red Hat alert:
Multiple memory leaks were identified in the Directory Server. An
unauthenticated remote attacker could use these flaws to trigger high
memory consumption in the Directory Server, possibly causing it to crash or
terminate unexpectedly when the server ran out of available memory.
(CVE-2008-3283)
Ulf Weltman of Hewlett-Packard discovered a flaw in the way Directory
Server handled LDAP search requests with patterns. A remote attacker with
access to the LDAP service could create a search request that, when the
search pattern was matched against specially crafted data records, caused
Directory Server to use a large amount of CPU time. Directory Server did
not impose time limits on such search requests. In this updated package,
Directory Server imposes a configurable limit on the pattern-search query
run time, with the default limit set to 30 seconds. (CVE-2008-2930) |
| Alerts: |
|
Comments (none posted)
rsh: directory traversal
| Package(s): | rsh |
CVE #(s): | CVE-2004-0175
|
| Created: | September 12, 2008 |
Updated: | September 17, 2008 |
| Description: |
From the CVE entry: Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992. |
| Alerts: |
|
Comments (none posted)
ssmtp: memory contents disclosure
| Package(s): | ssmtp |
CVE #(s): | CVE-2008-3962
|
| Created: | September 15, 2008 |
Updated: | September 17, 2008 |
| Description: |
From the Red Hat bugzilla:
The from_format function in ssmtp.c in ssmtp 2.62, in certain
configurations, uses uninitialized memory for the From: field of an
e-mail message, which might allow remote attackers to obtain sensitive
information (memory contents) in opportunistic circumstances by
reading a message.
|
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilties
| Package(s): | wireshark |
CVE #(s): | CVE-2008-3146
CVE-2008-3932
CVE-2008-3933
CVE-2008-3934
|
| Created: | September 12, 2008 |
Updated: | January 12, 2009 |
| Description: |
There are multiple buffer overflows in NCP dissector, an infinite loop in the NCP dissector, a crash could be triggered by zlib-compressed packet data, and also a crash via crafted Tektronix .rf5 file.
|
| Alerts: |
|
Comments (none posted)
wordnet: buffer overflows
| Package(s): | wordnet |
CVE #(s): | CVE-2008-3908
|
| Created: | September 16, 2008 |
Updated: | October 7, 2008 |
| Description: |
From the CVE entry: Multiple buffer overflows in Princeton WordNet (wn) 3.0 allow context-dependent attackers to execute arbitrary code via (1) a long argument on the command line; a long (2) WNSEARCHDIR, (3) WNHOME, or (4) WNDBVERSION environment variable; or (5) a user-supplied dictionary (aka data file). NOTE: since WordNet itself does not run with special privileges, this issue only crosses privilege boundaries when WordNet is invoked as a third party component. |
| Alerts: |
|
Comments (none posted)
wordpress: SQL column truncation
| Package(s): | wordpress |
CVE #(s): | |
| Created: | September 12, 2008 |
Updated: | September 17, 2008 |
| Description: |
WordPress 2.6.2 has been
released to work around problems with SQL Column Truncation and the
weakness of mt_rand(). See this advisory
for more information. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
