By Jake Edge
December 10, 2008
Removing the ability for regular users to execute "system" programs has a
certain appeal, but does it really provide any extra security? A thread on
the fedora-devel mailing list explores that question in the context of
usermod (and other, similar tools), which had their permissions
changed more than two years ago in an effort to meet security certification
requirements. Whether these changes, and at some level the certifications
themselves, actually increase the security of the system is the open question.
Callum Lerwick noticed that running
usermod no longer worked as a regular user. He has a habit of
doing that to get a quick overview of the command syntax and options from
the help page, but unless he uses sudo, that doesn't work. That
was done on purpose as Steve Grubb describes:
These should have been gone for quite a while...and on purpose. You cannot do
anything with them unless you are root. Allowing anyone even to execute them
would require lots of bad things for our LSPP/CAPP evaluations.
LSPP and CAPP are two protection profiles that are used for Common Criteria
security certifications (such as EAL3) that Red Hat Enterprise Linux (RHEL) has
earned. Because these tools can modify trusted databases
(e.g. /etc/shadow), attempts to run them by untrusted users must
be added to the audit log in order to comply with the certifications. But
adding audit events requires the CAP_AUDIT_WRITE capability bit; in today's
systems that effectively means setuid(0). As Grubb puts it: "IOW, if we open the
permissions, we need to make these become setuid root so
that we send audit events saying they failed."
Leaving aside the idea that only processes with root
permissions are allowed to generate auditable events—which seems a
bit bizarre—there is still the question of how much protection is
provided by changing the file permissions. Seth Vidal asks:
And do we seriously think we can keep the code away from a non-root user
by chmodd'ing the binaries? A user can get a binary for anything
fedora can install in about 30s w/firefox.
Allowing users to download binaries "takes the
system out of the certified configuration", according to Grubb, "So, if you need to
be in the CAPP
certified configuration, don't let users do this." This fairly
clearly demonstrates the dubious nature of the security afforded by the
current certifications. For the most part, the protection profiles
define away nearly all of the interesting threats that most systems face
today.
To a large extent, CAPP/LSPP certifications are the kinds of things listed
in marketing materials for "enterprise" operating systems rather than
serious attempts to address the real security needs of the vast majority of
network connected systems. Grubb provides an excellent overview of some of the requirements of CAPP,
along with how they are implemented in Fedora
as part
of the discussion. The CAPP
information page gives the full story, however:
The CAPP provides for a level of protection, which is appropriate for an
assumed non-hostile and well-managed user community requiring protection
against threats of inadvertent or casual attempts to breach the system
security. The profile is not intended to be applicable to circumstances in
which protection is required against determined attempts by hostile and
well-funded attackers to breach system security.
But CAPP does require that all attempts to modify trusted databases
like the shadow password file generate an audit trail, so there is a
lower-level audit rule set up for that file. Any access to
/etc/shadow, for example, is logged as Grubb describes in his
overview. That, though, begs other questions as Lerwick points out:
So we *are* auditing low level filesystem calls? So then what, other
than security theater, does auditing execution of usermod gain us?
The answer is that auditing execution of usermod by non-root users
gains exactly one thing: CAPP compliance. It requires that binaries which
modify trusted databases leave an audit trail. Even though any actual
attempt to access the underlying file will be logged, just accessing the
binary that could modify the file is also something that must be
logged.
Part of the dismay displayed in the thread comes from the fact that Fedora
will probably never be certified with CAPP for any number of reasons. So
taking away longstanding user abilities, though there are reasonable
alternatives like man usermod, for a certification that won't be
done, doesn't sit well with some in the Fedora community. Though, as Jef
Spaleta notes, there might be a use for the
certification in a Fedora spin:
Is there need for certified
'appliance' situations that a new 3rd party could leverage Fedora to
create? I can imagine all sorts of no network software appliance
situations where the CAPP certification applies and a Fedora derived
image would be a good development target.
There is always going to be tension between the security needs of an
"enterprise" distribution like RHEL and a more user/desktop-oriented
distribution like Fedora. While the specific reduced functionality in this
case is fairly minimal, the discussion increased the visibility of the
auditing required for certification as well as what that means for both
distributions. The original decision was made back in the Fedora Core days
when there was much less visibility and community input into the process.
Discussions like this will only help continue the process of opening up
Fedora while also exposing some of the inadequacies of security
certifications.
Comments (26 posted)
Brief items
The PHP 5.2.7 release
has been
withdrawn because it introduced a security hole. PHP users are advised
to drop back to version 5.2.6 until the developers can put together a 5.2.8
update.
Update: PHP 5.2.8 is now
available.
Comments (18 posted)
New vulnerabilities
Archive::Tar: directory traversal
| Package(s): | Archive-Tar |
CVE #(s): | CVE-2007-4829
|
| Created: | December 10, 2008 |
Updated: | July 22, 2010 |
| Description: |
The Archive::Tar perl module, prior to version 1.40, suffers from a directory traversal vulnerability exploitable via a specially-crafted tar file. |
| Alerts: |
|
Comments (none posted)
awstats: fix incomplete fix for CVE-2008-3714
| Package(s): | awstats |
CVE #(s): | CVE-2008-5080
|
| Created: | December 8, 2008 |
Updated: | October 13, 2009 |
| Description: |
From the Red Hat bugzilla entry:
It was discovered that the upstream patch for cross-site scripting (XSS) issue
in awstats known as CVE-2008-3714 does not completely resolve the problem and
it still allows injection of quote characters.
|
| Alerts: |
|
Comments (none posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2008-5314
|
| Created: | December 4, 2008 |
Updated: | December 24, 2008 |
| Description: |
clamav has a denial of service vulnerability. From the Debian advisory:
Ilja van Sprundel discovered that ClamAV contains a denial of service
condition in its JPEG file processing because it does not limit the
recursion depth when processing JPEG thumbnails (CVE-2008-5314). |
| Alerts: |
|
Comments (none posted)
compiz-plugins: illegal access to desktop
| Package(s): | compiz-plugins |
CVE #(s): | |
| Created: | December 9, 2008 |
Updated: | December 10, 2008 |
| Description: |
From the Ubuntu advisory: It was discovered that the Expo plugin for Compiz
did not correctly restrict the screensaver window from being moved with the
mouse. A local attacker could use the mouse to move the screensaver off
the screen and gain access to the locked desktop session
underneath. Default installs of Ubuntu were not vulnerable as Expo does not
come pre-configured with mouse bindings. |
| Alerts: |
|
Comments (none posted)
dbus: security bypass
| Package(s): | dbus |
CVE #(s): | CVE-2008-4311
|
| Created: | December 8, 2008 |
Updated: | April 21, 2009 |
| Description: |
From the freedesktop.org advisory
Joachim Breitner discovered a mistake in the default configuration for the
system bus (system.conf) which made the default policy for both sent and
received messages effectively *allow*, and not deny as intended.
|
| Alerts: |
|
Comments (none posted)
java: arbitrary code execution
| Package(s): | java |
CVE #(s): | CVE-2008-2086
|
| Created: | December 4, 2008 |
Updated: | November 18, 2009 |
| Description: |
Java has an arbitrary code execution vulnerability.
From the Red Hat alert:
A vulnerability was found in in Java Web Start. If a user visits a
malicious website, an attacker could misuse this flaw to execute arbitrary
code. (CVE-2008-2086) |
| Alerts: |
|
Comments (none posted)
java-1.6.0-openjdk: multiple vulnerabilities
Comments (none posted)
kernel: buffer overflow
| Package(s): | linux-2.6.24 |
CVE #(s): | CVE-2008-5134
|
| Created: | December 5, 2008 |
Updated: | February 4, 2009 |
| Description: |
The Kernel has a buffer overflow vulnerability. From the
national vulnerability database entry:
Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem in the Linux kernel before 2.6.27.5 allows remote attackers to have an unknown impact via an "invalid beacon/probe response." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | linux-2.6.24 |
CVE #(s): | CVE-2008-5300
|
| Created: | December 5, 2008 |
Updated: | November 4, 2009 |
| Description: |
The kernel has a denial of service vulnerability. From the
national vulnerability database entry:
Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. |
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | linux-2.6.24 |
CVE #(s): | CVE-2008-5182
|
| Created: | December 5, 2008 |
Updated: | February 25, 2009 |
| Description: |
The kernel has a privilege escalation vulnerability. From the
national vulnerability database entry:
The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2008-5079
|
| Created: | December 9, 2008 |
Updated: | October 5, 2009 |
| Description: |
From the CVE entry: net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table. |
| Alerts: |
|
Comments (none posted)
lcms: buffer overflows
| Package(s): | lcms |
CVE #(s): | CVE-2008-5316
CVE-2008-5317
|
| Created: | December 10, 2008 |
Updated: | January 8, 2009 |
| Description: |
The lcms color management utility suffers from a couple of buffer overflow vulnerabilities which could be exploited via a specially-crafted image file. |
| Alerts: |
|
Comments (none posted)
mgetty: insecure use of tmp file
| Package(s): | mgetty |
CVE #(s): | CVE-2008-4936
|
| Created: | December 8, 2008 |
Updated: | December 10, 2008 |
| Description: |
From the Gentoo advisory:
Dmitry E. Oboukhov reported that the "spooldir" directory in
fax/faxspool.in is created in an insecure manner.
A local attacker could exploit this vulnerability to overwrite
arbitrary files with the privileges of the user running the
application.
|
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-6420
CVE-2008-2364
CVE-2008-2939
|
| Created: | December 5, 2008 |
Updated: | December 7, 2009 |
| Description: |
The Apache web server has multiple vulnerabilities.
From the Red Hat vulnerability report:
A flaw was found in the mod_proxy module. An attacker who has control of
a web server to which requests are being proxied could cause a limited
denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364)
A flaw was found in the mod_proxy_ftp module. Where Apache is configured
to support ftp-over-httpd proxying, a remote attacker could perform a
cross-site scripting attack. (CVE-2008-2939)
A cross-site request forgery issue was found in the mod_proxy_balancer
module. A remote attacker could cause a denial of service if
mod_proxy_balancer is enabled and an authenticated user is targeted.
(CVE-2007-6420) |
| Alerts: |
|
Comments (none posted)
ruby: denial of service
| Package(s): | ruby |
CVE #(s): | CVE-2008-4310
|
| Created: | December 5, 2008 |
Updated: | December 10, 2008 |
| Description: |
ruby has a denial of service vulnerability.
From the Red Hat security advisory:
Vincent Danen reported, that Red Hat Security Advisory RHSA-2008:0897
did not properly address a denial of service flaw in the WEBrick (Ruby
HTTP server toolkit), known as CVE-2008-3656. This flaw allowed a
remote attacker to send a specially-crafted HTTP request to a WEBrick
server that would cause the server to use excessive CPU time. This
update properly addresses this flaw. (CVE-2008-4310) |
| Alerts: |
|
Comments (none posted)
squirrelmail: cross-site scripting
| Package(s): | squirrelmail |
CVE #(s): | CVE-2008-2379
|
| Created: | December 8, 2008 |
Updated: | May 13, 2009 |
| Description: |
From the Debian advisory:
Ivan Markovic discovered that SquirrelMail, a webmail application, did not
sufficiently sanitise incoming HTML email, allowing an attacker to perform
cross site scripting through sending a malicious HTML email. |
| Alerts: |
|
Comments (none posted)
syslog-ng: chroot jail escape
Comments (none posted)
vim: information exposure
| Package(s): | vim |
CVE #(s): | CVE-2008-4677
|
| Created: | December 4, 2008 |
Updated: | March 24, 2009 |
| Description: |
The vim editor has an information exposure vulnerability.
From the Mandriva alert:
A vulnerability was found in certain versions of netrw.vim where it
would send FTP credentials stored for an FTP session to subsequent
FTP sessions to servers on different hosts, exposing FTP credentials
to remote hosts (CVE-2008-4677). |
| Alerts: |
|
Comments (none posted)
vinagre: format string flaw
| Package(s): | vinagre |
CVE #(s): | |
| Created: | December 8, 2008 |
Updated: | December 11, 2008 |
| Description: |
From the Ubuntu advisory:
Alfredo Ortega discovered a flaw in Vinagre's use of format strings. A
remote attacker could exploit this vulnerability if they tricked a user
into connecting to a malicious VNC server, or opening a specially crafted
URI with Vinagre. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
