By Jake Edge
December 3, 2008
Ensuring that a Linux system is only running "approved" programs—ones
that haven't been maliciously replaced—is one of the goals of the integrity patches currently
being proposed for the Linux mainline. With some hardware assistance, in
the form of a Trusted
Platform Module (TPM) chip, systems will be able to
protect against unauthorized binaries as well as attest to other systems
that they are only running good code. These patches have been around for a
number of years in various forms, but it would seem they are getting close
to being merged. Perhaps more interestingly, we are starting to see them
be used by various projects.
Over on the kernel page, we have looked at the integrity patches several
times, most recently in March
2007. The core idea is to complement mandatory access control (MAC)
systems, such as SELinux, by preventing attacks that are made when that
system isn't running—the machine has been booted with a different
kernel for example. It is generally considered a security truism that
physical access to a device moots any security measures, but with a
properly outfitted TPM-based system, that is no longer the case.
Conceptually, there are two parts to the integrity feature. One is the
extended verification module (EVM) that associates each file
with a hash that has been calculated over its contents and
metadata. That hash is then signed by the TPM chip ensuring that
unauthorized changes will be noticed.
The other half
is the integrity measurement
architecture (IMA) which tracks the use of mmap().
IMA verifies the hashes of files that have been mapped in
executable mode and then keeps track of them in a way that the TPM can
sign. EVM then provides the
protection against tampering with binaries, while IMA can provide a signed
attestation of which executables have been run.
Previous incarnations of EVM and IMA used the Linux Security Modules (LSM)
interface, but that has a very unfortunate side effect: inability to also
run SELinux. LSM code has no way to stack or cooperate, so there can only
be one module active at a time. Since integrity and MAC are intended to
work together, this was seen as a rather serious impediment, so the most
recent versions add in hooks for Linux Integrity Modules (LIM). IMA is
then added as a LIM integrity provider rather than as an LSM.
In response to an Andrew Morton query about the need for LIM/IMA (EVM has
been incorporated into IMA over time), David Safford listed several users of the code:
LIM/IMA's maintenance of a TPM hardware anchored file measurement
list is fundamental to the Trusted Computing Group's standards
efforts. Several projects have implemented the TNC (Trusted Network
Connect) and PTS (Platform Trust Services) standards (see below).
There are three demo packaged distros which have integrated these
apps, two of which are government funded (EU and US), with definite
customer interest. We are working with the RHEL team to provide
a supported, patched kernel for HAP. All of these so far have used
the old LSM based IMA, and have asked for a supported, upstreamed
implementation, with the ability to work with SELinux.
While that looks a bit like alphabet soup, there is a lot of useful
information there (and in his links further down in the post linked
above). The biggest news is the three distributions that are implementing
"Trusted Computing".
The High
Assurance Platform (HAP) program is funded by the US National Security
Agency (NSA), the folks who brought us SELinux, while the Open Trusted Computing project is funded
by the European Commission.
While the security that can be provided by a Trusted Computing platform is
useful for some installations, there are some potential pitfalls as well.
Systems with TPM hardware can be configured to only run binaries that are
signed by some external authority. If manufacturers were to enable that
functionality, but only provide the key to "trusted" software companies,
it would lead to a horrendous loss of freedom. This is why some have
called it "Treacherous Computing".
There are numerous examples of systems that do not necessarily preserve
physical security, but that one might want to ensure were running the
proper code—voting and cash machines come quickly to mind. For those
situations, as well as countless others, Trusted Computing will be a real
boon. We just need to be vigilant so that hardware vendors (or, worse yet,
governments) don't start restricting what we can run on our own machines.
Comments (9 posted)
New vulnerabilities
clamav: stack overflow
| Package(s): | clamav |
CVE #(s): | |
| Created: | December 3, 2008 |
Updated: | December 3, 2008 |
| Description: |
From the ClamAV bugzilla entry:
There is a recursive stack overflow in clamav 0.93.3 and 0.94 (and probably
older versions) in the jpeg parsing code.
it scan[]s the jpeg file, and if there is a thumbnail, it'll scan that too. the
thumbnail itself is just another jpeg
file and the same jpeg scanning function gets called without checking any kind
of recur[]sing limit. this can eas[i]ly
lead to a recurisive stack overflow. |
| Alerts: |
|
Comments (none posted)
cupsys: arbitrary code execution
| Package(s): | cupsys |
CVE #(s): | CVE-2008-5286
|
| Created: | December 3, 2008 |
Updated: | January 26, 2009 |
| Description: |
From the Debian advisory:
An integer overflow has been discovered in the image validation code
of cupsys, the Common UNIX Printing System. An attacker could trigger
this bug by supplying a malicious graphic that could lead to the
execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
flamethrower: temporary file vulnerability
| Package(s): | flamethrower |
CVE #(s): | CVE-2008-5141
|
| Created: | December 2, 2008 |
Updated: | December 3, 2008 |
| Description: |
Flamethrower suffers from a temporary file vulnerability which can be exploited to create a denial of service situation. |
| Alerts: |
|
Comments (none posted)
jailer: denial of service via symlink
| Package(s): | jailer |
CVE #(s): | CVE-2008-5139
|
| Created: | December 1, 2008 |
Updated: | December 3, 2008 |
| Description: |
From the Debian advisory:
Javier Fernandez-Sanguino Pena discovered that updatejail, a component
of the chroot maintenance tool Jailer, creates a predictable temporary
file name, which may lead to local denial of service through a symlink
attack.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | linux, linux-source-2.6.15/22 |
CVE #(s): | CVE-2007-5498
|
| Created: | November 27, 2008 |
Updated: | December 3, 2008 |
| Description: |
The kernel has a denial of service vulnerability. From the
vulnerability database entry:
The Xen hypervisor block backend driver for Linux kernel 2.6.18, when running on a 64-bit host with a 32-bit paravirtualized guest, allows local privileged users in the guest OS to cause a denial of service (host OS crash) via a request that specifies a large number of blocks. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | linux, linux-source-2.6.15/22 |
CVE #(s): | CVE-2008-5025
|
| Created: | November 27, 2008 |
Updated: | February 10, 2009 |
| Description: |
The kernel has a denial of service vulnerability. From the vulnerability
database:
Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | linux, linux-source-2.6.15/22 |
CVE #(s): | CVE-2008-5033
|
| Created: | November 27, 2008 |
Updated: | August 20, 2009 |
| Description: |
The kernel has a denial of service vulnerability. From the
vulnerability database entry:
The chip_command function in drivers/media/video/tvaudio.c in the Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7, and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of service (NULL function pointer dereference and OOPS) via unknown vectors. |
| Alerts: |
|
Comments (none posted)
libsamplerate: buffer overflow
| Package(s): | libsamplerate |
CVE #(s): | CVE-2008-5008
|
| Created: | December 2, 2008 |
Updated: | December 5, 2008 |
| Description: |
Versions of libsamplerate prior to 0.1.4 suffer from a buffer overflow which could be exploited (via a specially-crafted audio file) to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
mantis: multiple vulnerabilities
| Package(s): | mantis |
CVE #(s): | CVE-2008-4687
CVE-2008-4688
CVE-2008-4689
|
| Created: | December 2, 2008 |
Updated: | December 3, 2008 |
| Description: |
The mantis bug tracking system has a few bugs of its own, including a failure to sanitize input parameters, information disclosure, and a failure to unset session cookies on logout. |
| Alerts: |
|
Comments (none posted)
perl: privilege escalation
| Package(s): | perl |
CVE #(s): | CVE-2008-5302
CVE-2008-5303
CVE-2005-0448
CVE-2004-0452
|
| Created: | December 3, 2008 |
Updated: | June 14, 2010 |
| Description: |
From the Debian advisory:
Paul Szabo rediscovered a vulnerability in the File::Path::rmtree
function of Perl. It was possible to exploit a race condition to create
setuid binaries in a directory tree or remove arbitrary files when a
process is deleting this tree. This issue was originally known as
CVE-2005-0448 and CVE-2004-0452, which were addressed by DSA-696-1 and
DSA-620-1. Unfortunately, they were reintroduced later.
|
| Alerts: |
|
Comments (none posted)
phpMyAdmin: cross-site scripting
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2008-4326
|
| Created: | December 1, 2008 |
Updated: | February 2, 2009 |
| Description: |
From the Debian advisory:
Masako Oono discovered that phpMyAdmin, a web-based administration
interface for MySQL, insufficiently sanitises input allowing a
remote attacker to gather sensitive data through cross site scripting,
provided that the user uses the Internet Explorer web browser.
|
| Alerts: |
|
Comments (none posted)
samba: bounds checking problem
| Package(s): | samba |
CVE #(s): | CVE-2008-4314
|
| Created: | November 27, 2008 |
Updated: | October 5, 2009 |
| Description: |
Samba has a bounds checking issue. From the Ubuntu alert:
It was discovered that Samba did not properly perform bounds checking
in certain operations. A remote attacker could possibly exploit this to
read arbitrary memory contents of the smb process, which could contain
sensitive information or possibly have other impacts, such as a denial of
service. |
| Alerts: |
|
Comments (none posted)
wordpress: cross-site scripting
| Package(s): | wordpress |
CVE #(s): | CVE-2008-5278
|
| Created: | December 3, 2008 |
Updated: | December 22, 2008 |
| Description: |
From the Red Hat bugzilla entry:
Cross-site scripting (XSS) vulnerability in the self_link function in
in the RSS Feed Generator (wp-includes/feed.php) for WordPress before
2.6.5 allows remote attackers to inject arbitrary web script or HTML
via the Host header (HTTP_HOST variable).
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
