|
|
| |
|
| |
Security
By Jake Edge
December 24, 2008
A while back, we looked at the
new Firefox 3 warnings for self-signed and expired SSL certificates.
As annoying as some found those to be, it certainly increased the
visibility of "invalid" certificates. Those certificates could lead to
man-in-the-middle attacks, which is what led Mozilla to issue such
eye-opening warnings. More recently, Eddy Nigg of Startcom—issuer of
free SSL certificates—found another way to do man-in-the-middle
attacks without setting off any of the new warnings.
What Nigg found was that he could get a perfectly valid certificate for a
domain he did not control: in this case mozilla.com. He could
then masquerade as the secure Mozilla site with impunity; any browsers that
landed
there would verify the certificate as belonging to mozilla.com.
He did it through a Comodo reseller with no questions asked: "Five
minutes later I was in the possession of a
legitimate certificate issued to mozilla.com – no questions asked
– no
verification checks done – no control validation – no subscriber agreement
presented, nothing."
That is clearly a bug in the verification process, but it is completely out
of the control of the browser. The browser must trust some set of key
signing authorities (i.e. Certificate Authorities or CAs), but has no way
to control how well or poorly they actually vet the keys they sign—or
their downstream resellers sign. We saw the same potential problem in a
slightly different guise with
"Extended Validation" certificates back in
2006. It all comes down to trusting CAs.
Sometime after Nigg's story hit Slashdot, Comodo revoked the certificate,
which did cause Firefox to put up an error and disallow the
connection. One wonders how many bad certificates have been issued but not
revoked because a phisher or other scammer received them. One would think
those folks would be less likely to publicly announce what they had done.
Bringing attention to the problem will likely help, but there are just
too many ways to create bad SSL certificates for those that really want
them—bribing CA employees
if nothing else. Another useful outcome is that
Richard Bejtlich got interested in just how the revocation process works.
He collected packet data from accessing Nigg's certificate after it had
been revoked which gives look
inside the Online Certificate Status Protocol (OCSP).
OCSP
is designed to do just what it did, cause a bad certificate to fail when
verified by the browser. Nigg's certificate listed an OCSP server that
should be consulted. Because that information has been signed by the CA,
it can't be tampered with. So long as the browser makes the OCSP check,
certificates can be revoked in this manner—as long as the CA is aware
that revocation is needed.
Public key cryptography—the basis of SSL and many other encryption
schemes—is an amazing method for doing encryption, but
it does suffer from a major shortcoming: key exchange. For relatively
simple situations, where both parties know each other and have a way to
securely exchange keys, it works well. When trying to handle
other kinds of communications, either a "web of trust" (a la PGP and
GPG) or some kind of trusted authority is required. When those break down,
man-in-the-middle and other scams are possible.
Comments (22 posted)
Brief items
The three MIT students who were sued by the Massachusetts Bay
Transportation Authority (MBTA) to stop their DEFCON presentation are
now working with the agency to improve its security. The students studied
MBTA's automated fare collection system, finding it lacking in several
respects. " 'We've always shared the goal of making the subway as safe
and secure as can be,' said student Zack Anderson. 'I am
glad that we can work with the MBTA to help the people of
Boston, and we are proud to be a part of something that
puts public interest first.'" Click below for the full press release.
Full Story (comments: none)
New vulnerabilities
ampache: insecure tmp file usage
| Package(s): | ampache |
CVE #(s): | CVE-2008-3929
|
| Created: | December 24, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Gentoo advisory:
Dmitry E. Oboukhov reported an insecure temporary file usage within the
gather-messages.sh script.
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.
|
| Alerts: |
|
Comments (none posted)
avahi: denial of service
| Package(s): | avahi |
CVE #(s): | CVE-2008-5081
|
| Created: | December 19, 2008 |
Updated: | October 15, 2010 |
| Description: |
From the Ubuntu advisory: Hugo Dias discovered that Avahi did not properly verify it's input when processing mDNS packets. A remote attacker could send a crafted mDNS packet and cause a denial of service (assertion failure). |
| Alerts: |
|
Comments (none posted)
courier-authlib: SQL injection
| Package(s): | courier-authlib |
CVE #(s): | CVE-2008-2380
|
| Created: | December 22, 2008 |
Updated: | March 12, 2009 |
| Description: |
From the Debian advisory:
The MySQL database interface used
insufficient escaping mechanisms when constructing SQL statements,
leading to SQL injection vulnerabilities if certain charsets are used
(CVE-2008-2380). |
| Alerts: |
|
Comments (none posted)
drupal-views: SQL injection
| Package(s): | drupal-views |
CVE #(s): | |
| Created: | December 22, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Drupal security alert:
When using an exposed filter on CCK text fields with allowed values, Views does not filter the data correctly. This may allow malicious users to conduct SQL injection attacks against the site. |
| Alerts: |
|
Comments (none posted)
flash-plugin: arbitrary code execution
| Package(s): | flash-plugin |
CVE #(s): | CVE-2008-5499
|
| Created: | December 19, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Red Hat advisory: A security flaw was found in the way Flash Player displayed certain SWF (Shockwave Flash) content. This may have made it possible to execute arbitrary code on a victim's machine, if the victim opened a malicious Adobe Flash file. |
| Alerts: |
|
Comments (none posted)
git: privilege escalation
| Package(s): | git |
CVE #(s): | |
| Created: | December 22, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Red Hat bugzilla:
Current gitweb has a possible local privilege escalation bug that allows a
malicious repository owner to run a command of his choice by specifying
diff.external configuration variable in his repository and running a
crafted gitweb query.
Recent (post 1.4.3) gitweb itself never generates a link that would result
in such a query, and the safest and cleanest fix to this issue is to
simply drop the support for it.
|
| Alerts: |
|
Comments (none posted)
kvm: denial of service
| Package(s): | kvm |
CVE #(s): | CVE-2008-2382
|
| Created: | December 24, 2008 |
Updated: | May 13, 2009 |
| Description: |
From the Red Hat bugzilla:
A denial of service flaw was discovered in the Qemu processor emulator
and Kernel-based Virtual Machine (KVM) due to improper sanitization
of the length of the message sent to the host VNC server. A remote attacker
could use this flaw to cause an infinite loop via specially-crafted
VNC message sent to the particular virtual domain. |
| Alerts: |
|
Comments (none posted)
libvirt: privilege escalation
| Package(s): | libvirt |
CVE #(s): | CVE-2008-5086
|
| Created: | December 18, 2008 |
Updated: | March 19, 2009 |
| Description: |
libvirt has a privilege escalation vulnerability. From the Ubuntu alert:
It was discovered that libvirt did not mark certain operations as read-only. A local attacker may be able to perform privileged actions such as migrating
virtual machines, adjusting autostart flags, or accessing privileged data in
the virtual machine memory and disks. |
| Alerts: |
|
Comments (none posted)
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CVE-2008-5249
CVE-2008-5250
CVE-2008-5252
CVE-2008-5687
CVE-2008-5688
|
| Created: | December 24, 2008 |
Updated: | October 5, 2009 |
| Description: |
From the Red Hat bugzilla:
* An XSS vulnerability affecting all MediaWiki installations between
1.13.0 and 1.13.2. [CVE-2008-5249]
* A local script injection vulnerability affecting Internet Explorer
clients for all MediaWiki installations with uploads enabled.
[CVE-2008-5250]
* A local script injection vulnerability affecting clients with SVG
scripting capability (such as Firefox 1.5+), for all MediaWiki
installations with SVG uploads enabled. [CVE-2008-5250]
* A CSRF vulnerability affecting the Special:Import feature, for all
MediaWiki installations since the feature was introduced in 1.3.0.
[CVE-2008-5252]
CVE-2008-5687:
MediaWiki 1.11 through 1.13.3 does not properly protect against the
download of backups of deleted images, which might allow remote
attackers to obtain sensitive information via requests for files in
images/deleted/.
CVE-2008-5688:
MediaWiki 1.8.1 through 1.13.3, when the wgShowExceptionDetails
variable is enabled, sometimes provides the full installation path in
a debugging message, which might allow remote attackers to obtain
sensitive information via unspecified requests that trigger an
uncaught exception.
|
| Alerts: |
|
Comments (none posted)
moodle: cross-site scripting
| Package(s): | moodle |
CVE #(s): | CVE-2008-5432
|
| Created: | December 22, 2008 |
Updated: | June 25, 2009 |
| Description: |
From the CVE entry:
Cross-site scripting (XSS) vulnerability in Moodle before 1.6.8, 1.7 before 1.7.6, 1.8 before 1.8.7, and 1.9 before 1.9.3 allows remote attackers to inject arbitrary web script or HTML via a Wiki page name (aka page title). |
| Alerts: |
|
Comments (none posted)
nagios3: cross-site request forgery
| Package(s): | nagios3 |
CVE #(s): | CVE-2008-5028
|
| Created: | December 22, 2008 |
Updated: | July 20, 2009 |
| Description: |
From the Ubuntu advisory:
It was discovered that Nagios was vulnerable to a Cross-site request forgery
(CSRF) vulnerability. If an authenticated nagios user were tricked into
clicking a link on a specially crafted web page, an attacker could trigger
commands to be processed by Nagios and execute arbitrary programs. This
update alters Nagios behaviour by disabling submission of CMD_CHANGE commands.
(CVE-2008-5028)
|
| Alerts: |
|
Comments (none posted)
openvpn: arbitrary code execution
| Package(s): | openvpn |
CVE #(s): | |
| Created: | December 22, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Red Hat bugzilla:
An OpenVPN client connecting to a malicious or compromised
server could potentially receive an "lladdr" or "iproute" configuration
directive from the server which could cause arbitrary code execution on
the client. A successful attack requires that (a) the client has agreed
to allow the server to push configuration directives to it by including
"pull" or the macro "client" in its configuration file, (b) the client
succesfully authenticates the server, (c) the server is malicious or has
been compromised and is under the control of the attacker, and (d) the
client is running a non-Windows OS. Credit: David Wagner.
|
| Alerts: |
|
Comments (none posted)
pdns: denial of service
| Package(s): | pdns |
CVE #(s): | CVE-2008-5277
|
| Created: | December 22, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Gentoo advisory:
Daniel Drown reported an error when receiving a HINFO CH query
(CVE-2008-5277).
A remote attacker could send specially crafted queries to cause a
Denial of Service. |
| Alerts: |
|
Comments (none posted)
phpCollab: multiple vulnerabilities
| Package(s): | phpCollab |
CVE #(s): | CVE-2006-1495
CVE-2008-4303
CVE-2008-4304
CVE-2008-4305
|
| Created: | December 24, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Gentoo advisory:
* rgod reported that data sent to general/sendpassword.php via the
loginForm parameter is not properly sanitized before being used in an
SQL statement (CVE-2006-1495).
* Christian Hoffmann of Gentoo Security discovered multiple
vulnerabilites where input is insufficiently sanitized before being
used in an SQL statement, for instance in general/login.php via the
loginForm parameter. (CVE-2008-4303).
* Christian Hoffmann also found out that the variable
$SSL_CLIENT_CERT in general/login.php is not properly sanitized
before being used in a shell command. (CVE-2008-4304).
* User-supplied data to installation/setup.php is not checked before
being written to include/settings.php which is executed later. This
issue was reported by Christian Hoffmann as well (CVE-2008-4305).
These vulnerabilities enable remote attackers to execute arbitrary SQL
statements and PHP code. NOTE: Some of the SQL injection
vulnerabilities require the php.ini option "magic_quotes_gpc" to be
disabled. Furthermore, an attacker might be able to execute arbitrary
shell commands if "register_globals" is enabled, "magic_quotes_gpc" is
disabled, the PHP OpenSSL extension is not installed or loaded and the
file "installation/setup.php" has not been deleted after installation.
|
| Alerts: |
|
Comments (none posted)
phpPgAdmin: directory traversal
| Package(s): | phpPgAdmin |
CVE #(s): | CVE-2008-5587
|
| Created: | December 22, 2008 |
Updated: | February 17, 2009 |
| Description: |
From the Red Hat bugzilla:
Directory traversal vulnerability in libraries/lib.inc.php in
phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows
remote attackers to read arbitrary files via a .. (dot dot) in the
_language parameter to index.php.
|
| Alerts: |
|
Comments (none posted)
proftpd: cross-site request forgery
| Package(s): | proftpd |
CVE #(s): | CVE-2008-4242
|
| Created: | December 23, 2008 |
Updated: | March 2, 2009 |
| Description: |
From the Debian advisory: Maksymilian Arciemowicz of securityreason.com reported that ProFTPD is vulnerable to cross-site request forgery (CSRF) attacks and executes arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
|
| Alerts: |
|
Comments (none posted)
roundcubemail: denial of service
| Package(s): | roundcubemail |
CVE #(s): | CVE-2008-5620
|
| Created: | December 22, 2008 |
Updated: | December 24, 2008 |
| Description: |
From the Red Hat bugzilla:
RoundCube Webmail (roundcubemail) before 0.2-beta allows remote
attackers to cause a denial of service (memory consumption) via
crafted size parameters that are used to create a large quota image. |
| Alerts: |
|
Comments (none posted)
rsyslog: multiple vulnerabilities
| Package(s): | rsyslog |
CVE #(s): | CVE-2008-5617
CVE-2008-5618
|
| Created: | December 22, 2008 |
Updated: | January 12, 2009 |
| Description: |
From the rsyslog advisory:
CVE-2008-5617: Due to a coding error in the modularization effort, the $AllowedSender directive is no longer honored but silently accepted. As such, rsyslog-based access control via $AllowedSender is not working and messages from every sender will be accepted by rsyslog. Most importantly, this could lead to misleading log entries or a remote DoS, by a malicious sender simply flooding the system logs with messages until the system runs out of disk space.
From the CVE entry:
CVE-2008-5618: imudp in rsyslog 4.x before 4.1.2, 3.21 before 3.21.9 beta, and 3.20 before 3.20.2 generates a message even when it is sent by an unauthorized sender, which allows remote attackers to cause a denial of service (disk consumption) via a large number of spurious messages.
|
| Alerts: |
|
Comments (none posted)
shadow: root privilege escalation
| Package(s): | shadow |
CVE #(s): | |
| Created: | December 18, 2008 |
Updated: | December 24, 2008 |
| Description: |
shadow has a root privilege escalation vulnerability.
From the Ubuntu alert:
Paul Szabo discovered a race condition in login. While setting up
tty permissions, login did not correctly handle symlinks. If a local
attacker were able to gain control of the system utmp file, they could
cause login to change the ownership and permissions on arbitrary files,
leading to a root privilege escalation. |
| Alerts: |
|
Comments (none posted)
vlc: multiple vulnerabilities
| Package(s): | vlc |
CVE #(s): | CVE-2008-5032
CVE-2008-5036
CVE-2008-5276
|
| Created: | December 24, 2008 |
Updated: | June 18, 2009 |
| Description: |
From the Gentoo advisory:
Tobias Klein reported the following vulnerabilities:
* A stack-based buffer overflow when processing CUE image files in
modules/access/vcd/cdrom.c (CVE-2008-5032).
* A stack-based buffer overflow when processing RealText (.rt)
subtitle files in the ParseRealText() function in
modules/demux/subtitle.c (CVE-2008-5036).
* An integer overflow when processing RealMedia (.rm) files in the
ReadRealIndex() function in real.c in the Real demuxer plugin,
leading to a heap-based buffer overflow (CVE-2008-5276).
A remote attacker could entice a user to open a specially crafted CUE
image file, RealMedia file or RealText subtitle file, possibly
resulting in the execution of arbitrary code with the privileges of the
user running the application.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|