By Jake Edge
June 10, 2009
The Linux packet filtering framework, netfilter, recently added a new
capability: passive operating system fingerprinting (OSF). By observing the
initial packet of a TCP/IP connection, the OSF module can often
determine the operating system at the other end. Putting that
capability into netfilter will allow administrators to use OS information
as part
of the rules they specify (for a firewall or other packet filtering
application) with iptables.
Evgeniy Polyakov announced on his
weblog that
his implementation of OSF had been added to the netfilter tree. Some six years in
the making for Linux, the feature has long been available for OpenBSD. The
basic idea is that the network packets sent by a particular OS use
different values for various TCP parameters. These values along with the
order and value of the TCP options field, are unique enough to identify the
OS and which
version of the OS is running (generally within a range of versions).
This is considered passive fingerprinting because normal network
traffic is examined, so there is nothing for the other end to
notice—possibly changing its behavior. Nmap and other tools can do active
fingerprinting, which means they generate traffic of various kinds to
get a more accurate picture of the remote system. Active fingerprinting
can be detected, but either kind of fingerprinting can be fooled by a
system that takes steps to obscure its fingerprint—or emulate a
different OS entirely.
Currently, in order to use OSF, one must patch the kernel and build
user-space tools, but that will likely change with the 2.6.31
kernel—at least for the xt_osf.ko kernel module. The
user-space tools (an iptables which is OSF-aware as well as a
utility to dynamically load fingerprint information) may lag, depending on
the distribution. A fingerprint
file is available from OpenBSD, and can be used directly by the
nfnl_osf utility to load the fingerprints into the kernel.
Packet filtering based on the remote OS has a number of potential uses,
from defending against a virus or denial of service attack that only comes
from a particular OS to recognizing vulnerable OS installations on the
network. As with most security tools, it can be used for good or ill, but it
is a capability that mainline Linux has long lacked. It is nice to see
that change.
Comments (2 posted)
New vulnerabilities
apr-util: denial of service
| Package(s): | apr-util |
CVE #(s): | CVE-2009-0023
|
| Created: | June 5, 2009 |
Updated: | December 4, 2009 |
| Description: |
From the Debian advisory:
"kcope" discovered a flaw in the handling of internal XML entities in
the apr_xml_* interface that can be exploited to use all available
memory. This denial of service can be triggered remotely in the Apache
mod_dav and mod_dav_svn modules. (No CVE id yet)
Matthew Palmer discovered an underflow flaw in the
apr_strmatch_precompile function that can be exploited to cause a
daemon crash. The vulnerability can be triggered (1) remotely in
mod_dav_svn for Apache if the "SVNMasterURI"directive is in use, (2)
remotely in mod_apreq2 for Apache or other applications using
libapreq2, or (3) locally in Apache by a crafted ".htaccess" file.
(CVE-2009-0023)
|
| Alerts: |
|
Comments (none posted)
apr-util: multiple vulnerabilities
| Package(s): | apr-util |
CVE #(s): | CVE-2009-1955
CVE-2009-1956
|
| Created: | June 8, 2009 |
Updated: | May 10, 2010 |
| Description: |
From the Mandriva advisory:
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).
|
| Alerts: |
|
Comments (none posted)
ecryptfs-utils: passphrase leak
| Package(s): | ecryptfs-utils |
CVE #(s): | CVE-2009-1296
|
| Created: | June 9, 2009 |
Updated: | September 16, 2009 |
| Description: |
From the Ubuntu advisory: Chris Jones discovered that the eCryptfs support utilities would report the mount passphrase into installation logs when an eCryptfs home directory was selected during Ubuntu installation. The logs are only readable by the root user, but this still left the mount passphrase
unencrypted on disk, potentially leading to a loss of privacy.
|
| Alerts: |
|
Comments (none posted)
file: heap-based buffer overflow
| Package(s): | file |
CVE #(s): | CVE-2009-1515
|
| Created: | June 5, 2009 |
Updated: | June 10, 2009 |
| Description: |
From the Mandriva advisory: Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a .msi, .doc, or .mpp file. |
| Alerts: |
|
Comments (none posted)
gstreamer0.10-plugins-good: arbitrary code execution
| Package(s): | gstreamer0.10-plugins-good |
CVE #(s): | CVE-2009-1932
|
| Created: | June 8, 2009 |
Updated: | December 4, 2009 |
| Description: |
From the Mandriva advisory:
Multiple integer overflows in the (1) user_info_callback,
(2) user_endrow_callback, and (3) gst_pngdec_task functions
(ext/libpng/gstpngdec.c) in GStreamer Good Plug-ins (aka
gst-plugins-good or gstreamer-plugins-good) 0.10.15 allow remote
attackers to cause a denial of service and possibly execute arbitrary
code via a crafted PNG file, which triggers a buffer overflow
(CVE-2009-1932). |
| Alerts: |
|
Comments (none posted)
imagemagick: integer overflow
| Package(s): | imagemagick |
CVE #(s): | CVE-2009-1882
|
| Created: | June 9, 2009 |
Updated: | October 27, 2010 |
| Description: |
From the CVE entry: Integer overflow in the XMakeImage function in magick/xwindow.c in ImageMagick 6.5.2-8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. NOTE: some of these details are obtained from third party information.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-1961
|
| Created: | June 8, 2009 |
Updated: | July 29, 2009 |
| Description: |
From the National Vulnerability Database entry:
The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-1360
|
| Created: | June 9, 2009 |
Updated: | July 2, 2009 |
| Description: |
From the CVE entry: The __inet6_check_established function in net/ipv6/inet6_hashtables.c in the Linux kernel before 2.6.29, when Network Namespace Support (aka NET_NS) is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via vectors involving IPv6 packets. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
