|
|
| |
|
| |
Security
By Jake Edge
January 14, 2009
There is a fair amount of confusion surrounding the recent research resulting in
the ability to create bogus SSL certificates. The research combined a
weakness in the certificate generation process with the ability to create
MD5 hash collisions and generated a certificate that would be accepted by
all browsers. That certificate could be used to sign other certificates,
allowing the researchers to create a valid certificate purporting to be
from any domain they chose.
Cryptographic hashes, like MD5, are used in digital signature algorithms;
in effect it is the hash that is signed as a stand-in for the actual content.
It has been known since 2004 that MD5 collisions—two different inputs
generating the same hash value—could feasibly be found. So, a
signature on data with a specific MD5 hash would be considered a valid
signature on any other data that hashed to the same value. What the
researchers did was to create a certificate that the certificate authority
(CA), in this case RapidSSL, was willing to sign, then transferred that
signature to a different certificate. That second certificate hashed to
the same value, but had the ability to sign additional certificates.
This is a very significant attack on SSL that was addressed rather
quickly. One wonders why these certificate authorities were still using
MD5 long after it had been deprecated because of the collision
vulnerability. Inertia is the likely culprit, but RapidSSL and other CAs
using MD5 changed to SHA-1 within hours of the report in some cases. In
addition, RapidSSL stopped using sequential
serial numbers in certificates. That flaw helped the researchers
immensely, so that they only needed four attempts (with a 200 node
Playstation 3 cluster) to create their
colliding certificate. A random serial number over a sizable range once
again makes
this attack infeasible—at least on today's hardware.
Eventually, MD5 will no longer be accepted as the hash used in the
signatures on certificates—or anything else, probably—but as of
now, SSL implementations will accept them. There are large numbers of such
certificates in use today, so browsers cannot just stop accepting them.
CAs are generally offering their customers free
replacement
certificates that use SHA-1.
Because users rarely root through the certificates presented to their
browser to determine what hash algorithm was used, there is a extension for Firefox
called SSL Blacklist that detects these certificates and pops up a
warning.
But, for those sites affected—LWN for example—it can be a bit
worrying to
hear from users that their certificate may be bad. The LWN certificate and
countless others are really no more vulnerable to this attack than any
other. A site that has an SHA-1 signature can be spoofed by this attack as
easily as one with an MD5 signature. But a site that has an MD5 signed
certificate does make it harder to switch away from MD5. That
switch won't happen soon in any case, but it could be slowed down by sites
that are slow to change.
If an attacker currently has a certificate of the type that the researchers
created, they can use it to sign certificates for any domain they wish, and
they can use SHA-1 in that signature. This particular vulnerability
requires an MD5 signed certificate in the chain of certificates, but does
not require that the final, domain-specific certificate be signed with
MD5. It should also be noted that some of the root certificates
distributed with browsers are MD5-signed. Those are not vulnerable because
they are distributed with the browser—if an attacker can change one's
root certificate stash, there are much easier attacks possible. For this
reason, SSL Blacklist looks for MD5 signatures in the certificate chain
anywhere after the root
certificate.
This incident is a good illustration of how cryptographic research often
proceeds. First, small cracks are found in an algorithm, causing some
worry in cryptographic circles, then partial attacks are found, which
generally starts to raise the alarm in the wider security community. But
it usually takes a full-scale attack or proof-of-concept to really cause
those who use the algorithms, knowingly or unknowingly, to take remedial
action. That delay provides a nice window that attackers can and will
exploit.
Comments (19 posted)
New vulnerabilities
bind: validation bypass
| Package(s): | Bind |
CVE #(s): | CVE-2009-0025
|
| Created: | January 9, 2009 |
Updated: | July 30, 2009 |
| Description: |
From the Red Hat advisory: A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. |
| Alerts: |
|
Comments (none posted)
cups: insecure tmp file usage
| Package(s): | cups, cupsys |
CVE #(s): | CVE-2008-5377
|
| Created: | January 12, 2009 |
Updated: | January 14, 2009 |
| Description: |
From the Ubuntu advisory:
It was discovered that the example pstopdf CUPS filter created log files in an
insecure way. Local users could exploit a race condition to create or overwrite
files with the privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
gforge: insufficient input sanitizing
| Package(s): | gforge |
CVE #(s): | CVE-2008-2381
|
| Created: | January 9, 2009 |
Updated: | January 14, 2009 |
| Description: |
From the Debian advisory: It was discovered that GForge, a collaborative development tool, insufficiently sanitizes some input allowing a remote attacker to perform SQL injection.
|
| Alerts: |
|
Comments (none posted)
git: arbitrary code execution
| Package(s): | git |
CVE #(s): | CVE-2008-5517
|
| Created: | January 12, 2009 |
Updated: | March 9, 2009 |
| Description: |
From the SUSE advisory:
Insufficient quoting of shell characters allowed remote attackers to
execute arbitrary commands via the git web interface (CVE-2008-5517)
|
| Alerts: |
|
Comments (2 posted)
hplip: privilege escalation
| Package(s): | hplip |
CVE #(s): | |
| Created: | January 14, 2009 |
Updated: | January 16, 2009 |
| Description: |
The hplip installation script was caught in the act of modifying permissions on files in users' home directories. This behavior could be exploited by a local user to change permissions on arbitrary files. |
| Alerts: |
|
Comments (1 posted)
imap: denial of service
| Package(s): | imap |
CVE #(s): | CVE-2008-5514
|
| Created: | January 12, 2009 |
Updated: | January 6, 2010 |
| Description: |
From the SUSE advisory:
Insufficient buffer length checks in the imap client library may
crash applications that use the library to print formatted email
addresses. The imap daemon itself is not affected but certain
versions of e.g. the php imap module are (CVE-2008-5514).
|
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
Comments (none posted)
jhead: multiple vulnerabilities
| Package(s): | jhead |
CVE #(s): | CVE-2008-4639
CVE-2008-4640
CVE-2008-4641
|
| Created: | January 12, 2009 |
Updated: | March 5, 2009 |
| Description: |
From the Gentoo advisory:
* An insecure creation of a temporary file (CVE-2008-4639).
* A error when unlinking a file (CVE-2008-4640).
* Insufficient escaping of shell metacharacters (CVE-2008-4641).
A remote attacker could possibly execute arbitrary code by enticing a
user or automated system to open a file with a long filename or via
unspecified vectors. It is also possible to trick a user into deleting
or overwriting files.
|
| Alerts: |
|
Comments (none posted)
lasso: certificate verification bypass
| Package(s): | lasso |
CVE #(s): | CVE-2009-0050
|
| Created: | January 12, 2009 |
Updated: | January 14, 2009 |
| Description: |
From the CVE entry:
Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. |
| Alerts: |
|
Comments (none posted)
mplayer: arbitrary code execution
| Package(s): | MPlayer |
CVE #(s): | CVE-2008-5616
|
| Created: | January 12, 2009 |
Updated: | April 29, 2009 |
| Description: |
From the Gentoo advisory:
Tobias Klein reported a stack-based buffer overflow in the
demux_open_vqf() function in libmpdemux/demux_vqf.c when processing
malformed TwinVQ files (CVE-2008-5616).
A remote attacker could entice a user to open a specially crafted STR,
Real Media, or TwinVQ file to execute arbitrary code or cause a Denial
of Service.
|
| Alerts: |
|
Comments (none posted)
ntp: signature verification vulnerability
| Package(s): | ntp |
CVE #(s): | CVE-2009-0021
|
| Created: | January 9, 2009 |
Updated: | April 10, 2009 |
| Description: |
From the Ubuntu advisory: It was discovered that NTP did not properly perform signature verification. A remote attacker could exploit this to bypass certificate validation via a malformed SSL/TLS signature. |
| Alerts: |
|
Comments (none posted)
online-bookmarks: multiple vulnerabilities
| Package(s): | online-bookmarks |
CVE #(s): | CVE-2004-2155
CVE-2006-6358
CVE-2006-6359
|
| Created: | January 13, 2009 |
Updated: | January 14, 2009 |
| Description: |
From the Gentoo advisory: The following vulnerabilities were reported:
* Authentication bypass when directly requesting certain pages
(CVE-2004-2155).
* Insufficient input validation in the login function in auth.inc
(CVE-2006-6358).
* Unspecified cross-site scripting vulnerability (CVE-2006-6359).
A remote attacker could exploit these vulnerabilities to bypass
authentication mechanisms, execute arbitrary SQL statements or inject
arbitrary web scripts.
|
| Alerts: |
|
Comments (none posted)
pam_mount: insecure tmp file usage
| Package(s): | pam_mount |
CVE #(s): | CVE-2008-5138
|
| Created: | January 12, 2009 |
Updated: | March 2, 2009 |
| Description: |
From the Mandriva advisory:
passwdehd script in pam_mount would allow local users to overwrite
arbitrary files via a symlink attack on a temporary file.
|
| Alerts: |
|
Comments (none posted)
pdnsb: denial of service
| Package(s): | pdnsd |
CVE #(s): | CVE-2008-4194
|
| Created: | January 12, 2009 |
Updated: | January 14, 2009 |
| Description: |
From the Gentoo advisory:
The p_exec_query() function in src/dns_query.c does not properly
handle many entries in the answer section of a DNS reply, related to
a "dangling pointer bug" (CVE-2008-4194).
[This] can be exploited by enticing pdnsd to send a query to a malicious DNS
server, or using the port randomization weakness, and might lead to a
Denial of Service.
|
| Alerts: |
|
Comments (none posted)
python: multiple vulnerabilities
| Package(s): | python |
CVE #(s): | CVE-2008-4864
CVE-2008-5031
|
| Created: | January 12, 2009 |
Updated: | July 30, 2009 |
| Description: |
From the Mandriva advisory:
Multiple integer overflows in imageop.c in the imageop module in
Python 1.5.2 through 2.5.1 allow context-dependent attackers to
break out of the Python VM and execute arbitrary code via large
integer values in certain arguments to the crop function, leading to
a buffer overflow, a different vulnerability than CVE-2007-4965 and
CVE-2008-1679. (CVE-2008-4864)
Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6,
allow context-dependent attackers to have an unknown impact via
a large integer value in the tabsize argument to the expandtabs
method, as implemented by (1) the string_expandtabs function in
Objects/stringobject.c and (2) the unicode_expandtabs function in
Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists
because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031)
|
| Alerts: |
|
Comments (none posted)
qemu: password guessing
| Package(s): | qemu |
CVE #(s): | CVE-2008-5714
|
| Created: | January 14, 2009 |
Updated: | October 13, 2009 |
| Description: |
An off-by-one error in Qemu 0.9.1 makes password guessing attacks easier than they should be. |
| Alerts: |
|
Comments (none posted)
Streamripper: multiple vulnerabilities
| Package(s): | streamripper |
CVE #(s): | CVE-2008-4829
|
| Created: | January 12, 2009 |
Updated: | January 14, 2009 |
| Description: |
From the Gentoo advisory:
Stefan Cornelius from Secunia Research reported multiple buffer
overflows in the http_parse_sc_header(), http_get_pls() and
http_get_m3u() functions in lib/http.c when parsing overly long HTTP
headers, or pls and m3u playlists with overly long entries.
A remote attacker could entice a user to connect to a malicious server,
possibly resulting in the remote execution of arbitrary code with the
privileges of the user running the application.
|
| Alerts: |
|
Comments (none posted)
vinagre: arbitrary code execution
| Package(s): | vinagre |
CVE #(s): | CVE-2008-5660
|
| Created: | January 12, 2009 |
Updated: | March 9, 2009 |
| Description: |
From the SUSE advisory:
A format string problem in vinagre potentially allowed malicious VNC
servers to have a vinagre client that connects to the server execute
arbitrary code. (CVE-2008-5660)
|
| Alerts: |
|
Comments (none posted)
zaptel: arbitrary code execution
| Package(s): | zaptel |
CVE #(s): | CVE-2008-5396
CVE-2008-5744
|
| Created: | January 12, 2009 |
Updated: | January 14, 2009 |
| Description: |
From the Debian advisory:
An array index error in zaptel, a set of drivers for telephony hardware,
could allow users to crash the system or escalate their privileges by
overwriting kernel memory (CVE-2008-5396).
From the CVE-2008-5744 entry:
Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check against the value of lc->sync. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|