By Jake Edge
October 8, 2008
We are increasingly seeing disclosures of security vulnerabilities that
don't actually disclose much, except that the researcher has found
something. Unfortunately, we have also seen lots of evidence that once the
presence
of a flaw is known, it doesn't take very long for folks to figure out what
the vulnerability is. Of course, we don't have any data on how long it
takes those with a malicious intent to find the flaws, but clearly the
"white hats" find them quickly. So what or who, exactly, are those practicing
"partial disclosure" protecting?
Partial disclosure is clearly a part of the "security circus" that Linus
Torvalds recently castigated, as it serves to increase the notoriety of
security researchers, without necessarily doing anything to help protect
users. Several recent examples come to mind of researchers who have found
real flaws, but for various reasons don't want to disclose the details.
Instead they "tease" the world by talking around what they found,
trying—and generally failing—to leave out enough information so
that others can't immediately follow in their footsteps.
Dan Kaminsky's DNS flaw was
an interesting example in that Kaminsky only disclosed the vulnerability to
affected software vendors, allowing them multiple months to produce
patches. He then wanted to give administrators time to apply the patches
so he delayed disclosing the flaw for another month or so. He also had an
admittedly selfish reason for delaying disclosure: he wanted to announce it
at the Black Hat security conference.
Because of the addition of source port randomization as the fix, it didn't
take very long for other security researchers to come up with the
vulnerability. Attackers may have come up with it even more quickly, but
because there were no details available, developers of other, smaller DNS
servers—not privy to the initial disclosure—were unable to
determine whether their code was vulnerable. It is commendable that
Kaminsky worked with the vendors to fix the problem, but there were clearly
holes in his disclosure methods.
A worse case can be seen with the recent spate of reports about
"clickjacking". It started with a report
of a canceled talk at the OWASP AppSec conference. The name is
clearly suggestive of where the vulnerability might be, and the description
of the canceled talk gave enough information that others
were able to duplicate it. This led one of the original researchers to
release
the vulnerability information.
So, in the interim, there was enough information floating around to find and
exploit the flaws, and now the vulnerability info has been released, but
there are no fixes available for many of them. It is hard to see what
delaying the disclosure did for anyone—researchers or
users—here. It did generate lots of press, though, partially because
of the name as Bruce Schneier pointed
out pre-disclosure:
"Clickjacking" is a stunningly sexy name, but the vulnerability is really
just a variant of cross-site scripting. We don't know how bad it really is,
because the details are still being withheld. But the name alone is causing
dread.
Yet another recent example is the denial
of service reported for nearly any TCP device. Like clickjacking, it
is being described in scary ways—which may well be justified:
Robert and I talk a lot, and I asked him if he'd be willing to DoS us, and
he flatly said, "Unfortunately, it may affect other devices between here
and there so it's not really a good idea." Got an idea of what we're
talking about now? This appears not to be a single bug, but in fact at
least five, and maybe as many as 30 different potential problems. They just
haven't dug far enough into it to really know how bad it can get. The
results range from complete shutdown of the vulnerable machine, to dropping
legitimate traffic.
There may well be enough information in the description of what the
researchers found—and, in particular, how they found it—for an
enterprising attacker to find it for themselves. In the meantime, the rest of
us are left in the dark. Security researchers are clearly under no
obligation to disclose their research sensibly, but it would seem
that either releasing all the details at once, or keeping them completely
secret, would be better than these partial disclosures.
Comments (4 posted)
New vulnerabilities
condor: multiple vulnerabilities
| Package(s): | condor |
CVE #(s): | CVE-2008-3826
CVE-2008-3828
CVE-2008-3829
CVE-2008-3830
|
| Created: | October 8, 2008 |
Updated: | October 10, 2008 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way Condor processed user submitted jobs. It was
possible for a user to submit a job in a way that could cause that job to
run as a different user with access to the pool. (CVE-2008-3826)
A stack based buffer overflow flaw was found in Condor's condor_schedd
daemon. A user who had permissions to submit a job could do so in a manner
that could cause condor_schedd to crash or, potentially, execute arbitrary
code with the permissions of condor_schedd. (CVE-2008-3828)
A denial-of-service flaw was found in Condor's condor_schedd daemon. A user
who had permissions to submit a job could do so in a manner that would
cause condor_schedd to crash. (CVE-2008-3829)
A flaw was found in the way Condor processes allowed and denied netmasks
for access control. If a configuration file contained an overlapping
netmask in the allow or deny rules, it could cause that rule to be ignored,
allowing unintended access. (CVE-2008-3830)
|
| Alerts: |
|
Comments (none posted)
feta: insecure temp file handling
| Package(s): | feta |
CVE #(s): | CVE-2008-4440
|
| Created: | October 7, 2008 |
Updated: | October 8, 2008 |
| Description: |
From the Debian advisory:
Dmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a simpler interface to APT, dpkg, and other Debian package tools creates temporary files insecurely, which may lead to local denial of service through symlink attacks.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2008-4113
CVE-2008-4445
|
| Created: | October 8, 2008 |
Updated: | November 3, 2008 |
| Description: |
From the Red Hat advisory:
Missing boundary checks were reported in the Linux kernel SCTP
implementation. This could, potentially, cause information disclosure via a
specially crafted SCTP_HMAC_IDENT IOCTL request. (CVE-2008-4113,
CVE-2008-4445)
|
| Alerts: |
|
Comments (none posted)
lighttpd: multiple vulnerabilities
| Package(s): | lighttpd |
CVE #(s): | CVE-2008-4298
CVE-2008-4359
CVE-2008-4360
|
| Created: | October 6, 2008 |
Updated: | January 12, 2010 |
| Description: |
From the Debian advisory:
CVE-2008-4298:
A memory leak in the http_request_parse function could be used by
remote attackers to cause lighttpd to consume memory, and cause a
denial of service attack.
CVE-2008-4359:
Inconsistent handling of URL patterns could lead to the disclosure
of resources a server administrator did not anticipate when using
rewritten URLs.
CVE-2008-4360:
Upon file systems which don't handle case-insensitive paths differently
it might be possible that unanticipated resources could be made available
by mod_userdir.
|
| Alerts: |
|
Comments (none posted)
mediawiki: HTML injection
| Package(s): | mediawiki |
CVE #(s): | CVE-2008-4408
|
| Created: | October 7, 2008 |
Updated: | October 8, 2008 |
| Description: |
MediaWiki has released
versions 1.13.2 and 1.12.1 with security and bugfix updates. |
| Alerts: |
|
Comments (none posted)
mplayer: integer overflow
| Package(s): | mplayer |
CVE #(s): | CVE-2008-3827
|
| Created: | October 7, 2008 |
Updated: | January 12, 2009 |
| Description: |
From the Debian advisory:
Felipe Andres Manzano discovered that mplayer, a multimedia player, is vulnerable to several integer overflows in the Real video stream demuxing code. These flaws could allow an attacker to cause a denial of service (a crash) or potentially the execution of arbitrary code by
supplying a maliciously crafted video file.
|
| Alerts: |
|
Comments (none posted)
pam_krb5: privilege elevation
| Package(s): | pam_krb5 |
CVE #(s): | CVE-2008-3825
|
| Created: | October 2, 2008 |
Updated: | January 14, 2009 |
| Description: |
From the Red Hat alert:
A flaw was found in the pam_krb5 "existing_ticket" configuration option. If
a system is configured to use an existing credential cache via the
"existing_ticket" option, it may be possible for a local user to gain
elevated privileges by using a different, local user's credential cache.
(CVE-2008-3825) |
| Alerts: |
|
Comments (none posted)
php5: several vulnerabilities
| Package(s): | php5 |
CVE #(s): | CVE-2008-3658
CVE-2008-3659
CVE-2008-3660
|
| Created: | October 7, 2008 |
Updated: | June 1, 2009 |
| Description: |
From the Debian advisory:
Several vulnerabilities have been discovered in PHP, a server-side,
HTML-embedded scripting language. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2008-3658:
Buffer overflow in the imageloadfont function allows a denial
of service or code execution through a crafted font file.
CVE-2008-3659:
Buffer overflow in the memnstr function allows a denial of
service or code execution via a crafted delimiter parameter
to the explode function.
CVE-2008-3660:
Denial of service is possible in the FastCGI module by a
remote attacker by making a request with multiple dots
before the extension.
|
| Alerts: |
|
Comments (none posted)
xen: multiple vulnerabilities
| Package(s): | xen |
CVE #(s): | CVE-2008-1945
CVE-2008-1952
|
| Created: | October 2, 2008 |
Updated: | May 13, 2009 |
| Description: |
From the Red Hat alert:
It was discovered that the hypervisor's para-virtualized framebuffer (PVFB)
backend failed to validate the frontend's framebuffer description properly.
This could allow a privileged user in the unprivileged domain (DomU) to
cause a denial of service, or, possibly, elevate privileges to the
privileged domain (Dom0). (CVE-2008-1952)
A flaw was found in the QEMU block format auto-detection, when running
fully-virtualized guests and using Qemu images written on removable media
(USB storage, 3.5" disks). Privileged users of such fully-virtualized
guests (DomU), with a raw-formatted disk image, were able to write a header
to that disk image describing another format. This could allow such guests
to read arbitrary files in their hypervisor's host (Dom0). (CVE-2008-1945) |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
