|
|
| |
|
| |
Security
By Jake Edge
March 25, 2009
It will come as no surprise to long-time readers of this page (or others
who have followed embedded device security), but recent reports
of the "first Linux botnet" are making the subject of router/modem security
more visible to the general public. As we have reported previously, embedded,
network-facing devices make tempting targets. It appears that a botnet
herder noticed that and is trying to take advantage of Linux-based
devices.
Perhaps the most surprising part about the attack is the simplicity of the
vulnerability it is exploiting. As far as anyone has found "psyb0t", as
the botnet is known, just brute forces username/password pairs over telnet,
ssh, or http. The earliest
research [PDF] of the
botnet was from January; at that time it was only known to be exploiting a
particular ADSL modem (Netcomm NB5) that, at one time, had non-existent
authorization on
its WAN-facing administrative web interface.
More recently, DroneBL found more
infected routers when investigating a distributed denial of service
(DDOS) against its servers. The botnet is targeting Linux devices using
the mipsel (MIPS little-endian) architecture, which includes many
Linux-based home routers. OpenWRT,
DD-WRT, and other projects all provide
Linux-mipsel firmware for a variety of potentially vulnerable devices.
Once the infecting program gets access to the device, it downloads the
botnet code and disables access to the device via telnet, ssh, or http.
While its method of getting access is simple, the botnet code itself is very
capable. It connects to a command and control IRC channel (#mipsel) on a
particular host under the control of the botnet herder. Commands on that
channel can
order the botnet nodes to do various denial of service attacks, scan for
vulnerable MySQL and phpMyAdmin sites and subvert them, port scan
particular hosts, update the botnet
code, and more. The IRC channel has shut down with a message indicating
that psyb0t was strictly a research project by someone known as DRS. The
message also claimed that no DDOS or phishing was done and that the botnet
reached 80,000 nodes.
While it may well be that the danger of this particular threat has passed,
the more general issue of router, especially home router, security
persists. A fully capable, always-on Linux device is a very attractive
target for botnet herders or other types of attackers. Trying to put
together a botnet of Linux desktops and servers might be a much more
difficult task as there is a much wider diversity of distributions and
kernel versions, as well as different architectures and configurations. To
a great extent, the Linux-based home router landscape is much more
homogeneous, as psyb0t has shown.
Clearly default and/or weak passwords are a serious problem—not just
for Linux-based devices—but it would not be surprising to find that
other
vulnerabilities (such as authentication
bypass) are available on many of these devices. Unlike a simple
password change, those kinds of flaws require an update to the router
firmware, which, in turn, requires users to know about the problem and
understand where to get—and how to apply—the code to fix it.
This is certainly a problem we have not seen the last of.
Comments (6 posted)
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2008-4437
CVE-2008-6098
CVE-2009-0481
CVE-2009-0483
CVE-2009-0484
CVE-2009-0485
CVE-2009-0486
CVE-2009-0482
|
| Created: | March 19, 2009 |
Updated: | June 4, 2010 |
| Description: |
Bugzilla has a number of vulnerabilities. From the Fedora alerts:
Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5,
and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to
read arbitrary files via an XML file with a .. (dot dot) in the data element. (CVE-2008-4437)
Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6,
2.20 before 2.20.7, and other versions after 2.17.4 allows remote
authenticated users to bypass moderation to approve and disapprove
quips via a direct request to quips.cgi with the action parameter set
to "approve." (CVE-2008-6098)
Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and
3.3 before 3.3.2 allows remote authenticated users to conduct
cross-site scripting (XSS) and related attacks by uploading HTML and
JavaScript attachments that are rendered by web browsers. (CVE-2009-0481)
Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2
before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows
remote attackers to perform bug updating activities as other users via
a link or IMG tag to process_bug.cgi. (CVE-2009-0482)
Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22
before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before
3.3.2 allows remote attackers to delete keywords and user preferences
via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi. (CVE-2009-0483)
Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before
3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers
to delete shared or saved searches via a link or IMG tag to
buglist.cgi. (CVE-2009-0484)
Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to
2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2
allows remote attackers to delete unused flag types via a link or IMG
tag to editflagtypes.cgi. (CVE-2009-0485)
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls
the srand function at startup time, which causes Apache children to
have the same seed and produce insufficiently random numbers for
random tokens, which allows remote attackers to bypass cross-site
request forgery (CSRF) protection mechanisms and conduct unauthorized
activities as other users. (CVE-2009-0486) |
| Alerts: |
|
Comments (none posted)
compiz-fusion: screen lock bypass
| Package(s): | compiz-fusion |
CVE #(s): | CVE-2008-6514
|
| Created: | March 25, 2009 |
Updated: | March 30, 2010 |
| Description: |
Compiz-fusion allows local users to simply drag the screen saver out of the way, thus bypassing any associated screen lock. |
| Alerts: |
|
Comments (none posted)
drupal-cck: cross-site scripting
| Package(s): | drupal-cck |
CVE #(s): | |
| Created: | March 23, 2009 |
Updated: | March 25, 2009 |
| Description: |
From the Drupal advisory:
The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access. |
| Alerts: |
|
Comments (none posted)
ejabberd: cross-site scripting vulnerability
| Package(s): | ejabberd |
CVE #(s): | CVE-2009-0934
|
| Created: | March 19, 2009 |
Updated: | April 17, 2009 |
| Description: |
ejabberd has a cross-site scripting vulnerability.
From the Fedora alert:
Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4
allows remote attackers to inject arbitrary web script or HTML via
unknown vectors related to links and MUC logs. |
| Alerts: |
|
Comments (none posted)
ffmpeg: unspecified vulnerabilities
| Package(s): | ffmpeg |
CVE #(s): | CVE-2008-4868
CVE-2008-4869
|
| Created: | March 20, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the CVE entries:
Unspecified vulnerability in the avcodec_close function in libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer, has unknown impact and attack vectors, related to a free "on random pointers."
FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers to cause a denial of service (memory consumption) via unknown vectors, aka a "Tcp/udp memory leak."
|
| Alerts: |
|
Comments (none posted)
ghostscript: integer overflows
| Package(s): | ghostscript |
CVE #(s): | CVE-2009-0583
CVE-2009-0584
|
| Created: | March 19, 2009 |
Updated: | December 4, 2009 |
| Description: |
Ghostscript has several integer overflow vulnerabilities.
From the Red Hat alert:
Multiple integer overflow flaws which could lead to heap-based buffer
overflows, as well as multiple insufficient input validation flaws, were
found in Ghostscript's International Color Consortium Format library
(icclib). Using specially-crafted ICC profiles, an attacker could create a
malicious PostScript or PDF file with embedded images which could cause
Ghostscript to crash, or, potentially, execute arbitrary code when opened
by the victim. (CVE-2009-0583, CVE-2009-0584) |
| Alerts: |
|
Comments (none posted)
jasper: insecure temp files
| Package(s): | jasper |
CVE #(s): | CVE-2008-3521
|
| Created: | March 20, 2009 |
Updated: | April 19, 2010 |
| Description: |
From the Ubuntu advisory: It was discovered that JasPer created temporary files in an insecure way.
Local users could exploit a race condition and cause a denial of service in
libjasper applications.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple ext4 denial of service vulnerabilities
| Package(s): | linux-2.6 |
CVE #(s): | CVE-2009-0745
CVE-2009-0746
CVE-2009-0747
CVE-2009-0748
|
| Created: | March 23, 2009 |
Updated: | September 16, 2009 |
| Description: |
From the Debian advisory:
CVE-2009-0745:
Peter Kerwien discovered an issue in the ext4 filesystem that
allows local users to cause a denial of service (kernel oops)
during a resize operation.
CVE-2009-0746:
Sami Liedes reported an issue in the ext4 filesystem that allows
local users to cause a denial of service (kernel oops) when
accessing a specially crafted corrupt filesystem.
CVE-2009-0747:
David Maciejak reported an issue in the ext4 filesystem that
allows local users to cause a denial of service (kernel oops) when
mounting a specially crafted corrupt filesystem.
CVE-2009-0748:
David Maciejak reported an additional issue in the ext4 filesystem
that allows local users to cause a denial of service (kernel oops)
when mounting a specially crafted corrupt filesystem.
|
| Alerts: |
|
Comments (none posted)
lcms: multiple vulnerabilities
| Package(s): | lcms |
CVE #(s): | CVE-2009-0581
CVE-2009-0723
CVE-2009-0733
|
| Created: | March 19, 2009 |
Updated: | December 3, 2009 |
| Description: |
lcms has three vulnerabilities.
From the Red Hat alert:
Multiple integer overflow flaws which could lead to heap-based buffer
overflows, as well as multiple insufficient input validation flaws, were
found in LittleCMS. An attacker could use these flaws to create a
specially-crafted image file which could cause an application using
LittleCMS to crash, or, possibly, execute arbitrary code when opened by a
victim. (CVE-2009-0723, CVE-2009-0733)
A memory leak flaw was found in LittleCMS. An application using LittleCMS
could use excessive amount of memory, and possibly crash after using all
available memory, if used to open specially-crafted images. (CVE-2009-0581) |
| Alerts: |
|
Comments (3 posted)
libvirt: privilege escalation
| Package(s): | libvirt |
CVE #(s): | CVE-2009-0036
|
| Created: | March 19, 2009 |
Updated: | March 25, 2009 |
| Description: |
libvirt has a privilege escalation vulnerability.
From the Red hat alert:
libvirt_proxy, a setuid helper application allowing non-privileged users to
communicate with the hypervisor, was discovered to not properly validate
user requests. Local users could use this flaw to cause a stack-based
buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary
code with root privileges. (CVE-2009-0036) |
| Alerts: |
|
Comments (none posted)
muttprint: insecure temporary files
| Package(s): | muttprint |
CVE #(s): | CVE-2008-5368
|
| Created: | March 24, 2009 |
Updated: | March 25, 2009 |
| Description: |
From the Gentoo advisory: Dmitry E. Oboukhov reported an insecure usage of the temporary file "/tmp/muttprint.log" in the muttprint script.
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application.
|
| Alerts: |
|
Comments (none posted)
opensc: insufficient access restrictions
| Package(s): | opensc |
CVE #(s): | CVE-2009-0368
|
| Created: | March 19, 2009 |
Updated: | June 1, 2009 |
| Description: |
opensc has a vulnerability involving insufficient access restrictions
on private data.
From the Red Hat alert:
OpenSC stores private data without proper access restrictions.
User "b.badrignans" reported this security problem on December 4th, 2008.
In June 2007 support form private data objects was added to OpenSC. Only later
a severe security bug was found out: while the OpenSC PKCS#11 implementation
requires PIN verification to access the data, low level APDU commands or
debugging tools like opensc-explorer or opensc-tool can access the private
data without any authentication. This was fixed in OpenSC 0.11.7. |
| Alerts: |
|
Comments (none posted)
pam: denial of service, possible privilege escalation
| Package(s): | pam |
CVE #(s): | CVE-2009-0887
|
| Created: | March 23, 2009 |
Updated: | May 31, 2011 |
| Description: |
From the Mandriva advisory:
Integer signedness error in the _pam_StrTok function in
libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
configuration file contains non-ASCII usernames, might allow remote
attackers to cause a denial of service, and might allow remote
authenticated users to obtain login access with a different user's
non-ASCII username, via a login attempt (CVE-2009-0887).
|
| Alerts: |
|
Comments (none posted)
postgresql: denial of service
| Package(s): | postgresql |
CVE #(s): | CVE-2009-0922
|
| Created: | March 23, 2009 |
Updated: | November 2, 2009 |
| Description: |
From the Red Hat bugzilla:
A stack overflow was found in how PostgreSQL handles conversion encoding. This
could allow an authenticated user to kill connections to the PostgreSQL server
for a small amount of time, which could interrupt transactions by other
users/clients.
|
| Alerts: |
|
Comments (none posted)
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey |
CVE #(s): | |
| Created: | March 25, 2009 |
Updated: | April 14, 2009 |
| Description: |
Seamonkey 1.1.15 contains fixes for a number of security issues. |
| Alerts: |
|
Comments (none posted)
thunderbird: multiple vulnerabilities
| Package(s): | thunderbird |
CVE #(s): | |
| Created: | March 25, 2009 |
Updated: | March 25, 2009 |
| Description: |
A number of security issues, generally involving memory corruption, have been fixed in the thunderbird 2.0.0.21 release. |
| Alerts: |
|
Comments (none posted)
webcit: format string vulnerability
| Package(s): | webcit |
CVE #(s): | CVE-2009-0364
|
| Created: | March 24, 2009 |
Updated: | March 25, 2009 |
| Description: |
From the Debian advisory: Wilfried Goesgens discovered that WebCit, the web-based user interface
for the Citadel groupware system, contains a format string
vulnerability in the mini_calendar component, possibly allowing
arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|