|
|
| |
|
| |
Security
By Jake Edge
November 19, 2008
A somewhat mysterious SSH
vulnerability has been reported in a way that unfortunately looks a bit
like partial disclosure. In
this case, though, there is a workaround that is supposed to alleviate the
problem, so there are good reasons—as opposed to publicity-oriented
reasons—to announce the flaw. While it is difficult to
exploit, it does expose up to 32-bits of
plaintext from within an SSH
session which is a failure mode that is rather worrisome.
The flaw has only been confirmed in OpenSSH 4.7p1, but the announcement
indicates that it is likely to be much more widespread: "We expect
any RFC-compliant SSH implementation to be vulnerable
to some form of the attack." The flaw is in the design of SSH and
can allow an attacker who has "control over the network"—presumably
the ability to monitor and inject traffic—to recover 32 plaintext
bits with a very low probability (2-18). The bits recovered
come from an
attacker-selected block of ciphertext. The attack leads to the termination
of the SSH connection, so iterative attacks will be difficult or impossible.
It is hard to get too worked up about that kind of attack, even with much
of the details lacking, but typically these kinds of flaws can be expanded
in various ways. The announcement mentions variants that recover 14 bits
with a probability of 2-14. It also carries the following
warning: "The success probabilities for
other implementations are unknown (but are potentially much higher)."
It is a security tautology that vulnerabilities only get bigger over time,
which we have seen in various contexts, notably in DNS cache poisoning
flaws over the years.
Another bit of information provided by the Centre for the Protection of
National Infrastructure (CPNI), the UK government agency who issued the
advisory, is that the attack analyzes "the behaviour of the SSH
connection
when handling certain types of errors". This particular attack is
also only applicable to the default cipher-block
chaining (CBC) mode, so switching to counter
(CTR) mode works around the flaw.
OpenSSH supports the use of AES in CTR mode, which is what the advisory
recommends using:
A switch to AES in counter
mode could most easily be enforced by limiting which encryption
algorithms are offered during the ciphersuite negotiation that takes
place as part of the SSH key exchange (see RFC 4253, Section 7.1).
There is quite a bit of information in the advisory that might lead a
determined attacker in the "right" direction. It might also provide enough
for someone to come up with attacks that are more probable and/or reveal
more plaintext. So far, the Internet Storm Center is reporting that they
have not seen any evidence that the flaw is being exploited in the wild.
OpenSSH has not, as yet, addressed the issue, at least on their security page. At least in
its current form, there is probably very little to worry about from this
flaw, but very security-conscious SSH users will want to apply the workaround.
Comments (12 posted)
New vulnerabilities
clamav: arbitrary code execution
| Package(s): | clamav |
CVE #(s): | CVE-2008-5050
|
| Created: | November 17, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Mandriva advisory:
An off-by-one error was found in ClamAV versions prior to 0.94.1 that
could allow remote attackers to cause a denial of service or possibly
execute arbitrary code via a crafted VBA project file (CVE-2008-5050).
|
| Alerts: |
|
Comments (none posted)
cobbler: arbitrary code execution
| Package(s): | cobbler |
CVE #(s): | |
| Created: | November 19, 2008 |
Updated: | November 24, 2008 |
| Description: |
From the Fedora advisory:
Fixes a security vulnerability where a CobblerWeb user (if so configured) can
import a Python module via a web-edited Cheetah template and run commands as
root.
|
| Alerts: |
|
Comments (none posted)
firefox: policy bypass
| Package(s): | Mozilla, firefox, seamonkey |
CVE #(s): | CVE-2008-4582
|
| Created: | November 14, 2008 |
Updated: | January 8, 2009 |
| Description: |
From the CVE entry: Mozilla Firefox 3.0.1 through 3.0.3 on Windows does not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810. |
| Alerts: |
|
Comments (4 posted)
firefox: arbitrary code execution
| Package(s): | firefox |
CVE #(s): | CVE-2008-5015
|
| Created: | November 13, 2008 |
Updated: | November 26, 2008 |
| Description: |
Firefox has an arbitrary code execution vulnerability.
From the Red Hat alert:
A flaw was found in the way Firefox opened "file:" URIs. If a file: URI was
loaded in the same tab as a chrome or privileged "about:" page, the file:
URI could execute arbitrary code with the permissions of the user running
Firefox. |
| Alerts: |
|
Comments (none posted)
geda-gnetlist: insecure tmp file usage
| Package(s): | geda-gnetlist |
CVE #(s): | CVE-2008-5148
|
| Created: | November 19, 2008 |
Updated: | March 9, 2009 |
| Description: |
From the Red Hat bugzilla:
sch2eaglepos.sh in geda-gnetlist 1.4.0 allows local users to overwrite
arbitrary files via a symlink attack on a /tmp/##### temporary file.
|
| Alerts: |
|
Comments (none posted)
htop: process name sanitizing
| Package(s): | htop |
CVE #(s): | CVE-2008-5076
|
| Created: | November 19, 2008 |
Updated: | November 25, 2008 |
| Description: |
From the Red Hat bugzilla:
htop 0.7 writes process names to a terminal without sanitizing
non-printable characters, which might allow local users to hide processes,
modify arbitrary files, or have unspecified other impact via a process name
with "crazy control strings."
|
| Alerts: |
|
Comments (none posted)
initscripts: denial of service
| Package(s): | initscripts |
CVE #(s): | CVE-2008-4832
|
| Created: | November 13, 2008 |
Updated: | November 19, 2008 |
| Description: |
initscripts has a denial of service vulnerability.
From the rPath alert:
Previous versions of the initscripts package are vulnerable to a Denial
of Service attack in which a local user may cause arbitrary files to
be deleted at next boot time by creating symlinks under various /var
subdirectories. |
| Alerts: |
|
Comments (none posted)
libcdaudio: heap overflow
| Package(s): | libcdaudio |
CVE #(s): | CVE-2008-5030
|
| Created: | November 13, 2008 |
Updated: | December 7, 2009 |
| Description: |
libcdaudio has an arbitrary code execution vulnerability. From the
Debian alert:
It was discovered that a heap overflow in the CDDB retrieval code of
libcdaudio, a library for controlling a CD-ROM when playing audio CDs,
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple vulnerabilities
| Package(s): | libxml2 |
CVE #(s): | CVE-2008-4225
CVE-2008-4226
|
| Created: | November 17, 2008 |
Updated: | August 12, 2009 |
| Description: |
From the Red Hat advisory:
An integer overflow flaw causing a heap-based buffer overflow was found in
the libxml2 XML parser. If an application linked against libxml2 processed
untrusted, malformed XML content, it could cause the application to crash
or, possibly, execute arbitrary code. (CVE-2008-4226)
A denial of service flaw was discovered in the libxml2 XML parser. If an
application linked against libxml2 processed untrusted, malformed XML
content, it could cause the application to enter an infinite loop.
(CVE-2008-4225)
|
| Alerts: |
|
Comments (none posted)
mysql: denial of service
| Package(s): | mysql-dfsg-5.0 |
CVE #(s): | CVE-2008-3963
|
| Created: | November 18, 2008 |
Updated: | March 8, 2010 |
| Description: |
From the Ubuntu advisory: It was discovered that MySQL did not handle empty bit-string literals properly. An attacker could exploit this problem and cause the MySQL server to crash, leading to a denial of service. |
| Alerts: |
|
Comments (none posted)
optipng: buffer overflow
| Package(s): | optipng |
CVE #(s): | |
| Created: | November 13, 2008 |
Updated: | December 2, 2008 |
| Description: |
OptiPNG has a buffer overflow vulnerability. From the Fedora alert:
A buffer overflow flaw has been found in the OptiPNG -- PNG image optimizer.
This flaw is caused due to an boundary error in the BMP image reader,
responsible for handling BMP images. Local unprivileged user could
use this flaw to execu[t]e arbit[r]ary code via providing a specially crafted
BMP image file to the optimizer. |
| Alerts: |
|
Comments (none posted)
php: safe_mode bypass
| Package(s): | php |
CVE #(s): | CVE-2008-2665
CVE-2008-2666
|
| Created: | November 17, 2008 |
Updated: | March 3, 2009 |
| Description: |
From the Gentoo advisory:
Maksymilian Arciemowicz of SecurityReason Research reported that a
design error in PHP's stream wrappers allows to circumvent safe_mode
checks in several filesystem-related PHP functions (CVE-2008-2665,
CVE-2008-2666).
|
| Alerts: |
|
Comments (none posted)
quassel: issue with CTCP handling
| Package(s): | quassel |
CVE #(s): | |
| Created: | November 14, 2008 |
Updated: | November 19, 2008 |
| Description: |
From this Quassel blog entry:
Well, looks like 0.3.0.2 was not the last 0.3.0 release after all. coekie
found an issue with CTCP handling in Quassel Core that allows attackers to
send arbitrary IRC messages on your behalf. This issue is present in all
versions prior to 0.3.0.3 and Git older than October 26th (rev. d7a0381).
This has been fixed in the quassel-0.3.0.3 release and also in Git and the
nightly builds. |
| Alerts: |
|
Comments (none posted)
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey, firefox, thunderbird |
CVE #(s): | CVE-2008-0017
CVE-2008-5012
CVE-2008-5013
CVE-2008-5014
CVE-2008-5016
CVE-2008-5017
CVE-2008-5018
CVE-2008-5019
CVE-2008-5021
CVE-2008-5022
CVE-2008-5023
CVE-2008-5024
|
| Created: | November 13, 2008 |
Updated: | January 8, 2009 |
| Description: |
Seamonkey has multiple vulnerabilities.
From the Red Hat alert:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause SeaMonkey to crash or,
potentially, execute arbitrary code as the user running SeaMonkey.
(CVE-2008-0017, CVE-2008-5013, CVE-2008-5014, CVE-2008-5016,
CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE-2008-5021)
Several flaws were found in the way malformed content was processed. A web
site containing specially-crafted content could potentially trick a
SeaMonkey user into surrendering sensitive information. (CVE-2008-5012,
CVE-2008-5022, CVE-2008-5023, CVE-2008-5024) |
| Alerts: |
|
Comments (none posted)
vm-builder: privilege escalation
| Package(s): | vm-builder |
CVE #(s): | |
| Created: | November 14, 2008 |
Updated: | November 19, 2008 |
| Description: |
From the Ubuntu advisory: Mathias Gug discovered that vm-builder improperly
set the root password when creating virtual machines. An attacker could
exploit this to gain root privileges to the virtual machine by using a
predictable password.
This vulnerability only affects virtual machines created with
vm-builder under Ubuntu 8.10, and does not affect native Ubuntu
installations. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|