By Jake Edge
July 15, 2009
In the security world, there is always tension between under and
over-reporting on vulnerabilities. Not only between the "full" and
"responsible" disclosure camps, but also for those trying to make sure that
users are aware of the most recent attacks. Sometimes, that can lead to
reports that eventually turn out to be incomplete, overstated, or flat out
wrong. There is value even in incorrect reports, though; at a minimum they can
raise the profile of the most vulnerable of services—reminding
administrators to update and/or reconfigure the affected
program—which may reduce the impact of the next exploit.
For many reasons, ssh vulnerabilities—or purported
vulnerabilities—are treated differently than others. If this had
been a report of yet another content management system cross-site scripting
flaw or wireshark dissector bug, it would not have gotten much, if any,
notice. But, ssh is one service that is turned on for nearly every server
on the internet. Without ssh, many administrators couldn't access the server to
handle important tasks—security updates for example.
In addition, many internet servers have just a few, trusted users, which
may—unfortunately—make their administrators rather sanguine
about patching for local privilege escalation flaws. That makes a way to
subvert ssh and get that local access suddenly a much more dangerous flaw.
In addition, many administrators allow root to log in remotely, so an ssh
vulnerability might lead to root privileges without needing an
additional privilege
escalation flaw.
It is safe to say that exploitable ssh vulnerabilities are very high on the
list of things that keep system administrators up at night. So that makes
it rather
easy to stir up a firestorm of publicity by reporting one. The Internet
Storm Center (ISC) was one of the first to report on the rumored
OpenSSH vulnerability (which we also passed along). The whole thing
got started with a post to the
full-disclosure mailing list that purported to show an ssh "zero-day"
exploit compromising a server in New Zealand.
It wasn't very long before folks realized that it was likely the result of
a "brute force" attack against a user password, but there was enough
"chatter" of various sorts (see the updates on the ISC post) that it was
difficult to be sure. In the end, we still aren't completely sure, but
OpenSSH developer Damien Miller posted his belief that there was
no ssh zero-day; ISC also posted a notice
calling the vulnerability reports bogus. In the absence of any more
information, those would seem to close the book on this vulnerability.
While it was a bit of a fire drill, it is likely that the reports led to
some system administrators taking a look at their ssh installation to make
sure it was up-to-date. They may also have tightened up their
configuration in ways that might lessen the chances of a vulnerability
affecting their systems. Disallowing root logins, requiring key-based
instead of password-based logins, or restricting ssh access to certain IP
addresses are all steps that administrators may have taken. Perhaps it was
needless in this case, but a general tightening up of ssh configuration is
likely to be helpful in fending off brute-force or other attacks down the
road.
Comments (9 posted)
Brief items
The H
warns of a DHCP client vulnerability which allows a hostile server to take over the system. "
According to Marcus Meissner from SUSE, the vulnerability doesn't affect Red Hat and SUSE because their source code includes the FORTIFY_SOURCE feature. With it, the GNU Compiler Collection (GCC) knows how large the buffer is, including the maximum size. The glibc gets the buffer size information and uses a version of strcpy() that checks and makes sure that no more than 20 bytes are copied. If the buffer is greater, then the program is aborted."
Comments (35 posted)
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2009-1492
CVE-2009-1493
|
| Created: | July 13, 2009 |
Updated: | July 15, 2009 |
| Description: |
From the Gentoo advisory:
Arr1val reported that multiple methods in the JavaScript API might
lead to memory corruption when called with crafted arguments
(CVE-2009-1492, CVE-2009-1493).
|
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2009-1890
CVE-2009-1891
|
| Created: | July 9, 2009 |
Updated: | December 7, 2009 |
| Description: |
Apache has two denial of service vulnerabilities.
From the Mandriva alert:
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891). |
| Alerts: |
|
Comments (none posted)
camlimages: integer overflow
| Package(s): | camlimages |
CVE #(s): | CVE-2009-2295
|
| Created: | July 14, 2009 |
Updated: | June 1, 2010 |
| Description: |
From the Debian advisory: Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.
|
| Alerts: |
|
Comments (none posted)
dbus: policy bypass
| Package(s): | dbus |
CVE #(s): | CVE-2009-1189
|
| Created: | July 14, 2009 |
Updated: | May 3, 2011 |
| Description: |
From the Ubuntu advisory: It was discovered that the D-Bus library did not correctly validate signatures. If a local user sent a specially crafted D-Bus key, they could spoof a valid signature and bypass security policies.
|
| Alerts: |
|
Comments (none posted)
dhcp: arbitrary code execution
| Package(s): | dhcp3 |
CVE #(s): | CVE-2009-0692
|
| Created: | July 15, 2009 |
Updated: | January 27, 2010 |
| Description: |
From the Red Hat advisory:
The Mandriva Linux Engineering Team discovered a stack-based buffer
overflow flaw in the ISC DHCP client. If the DHCP client were to receive a
malicious DHCP response, it could crash or execute arbitrary code with the
permissions of the client (root). (CVE-2009-0692)
|
| Alerts: |
|
Comments (none posted)
dhcp: arbitrary file overwrite
| Package(s): | dhcp |
CVE #(s): | CVE-2009-1893
|
| Created: | July 15, 2009 |
Updated: | July 16, 2009 |
| Description: |
From the Red Hat advisory:
An insecure temporary file use flaw was discovered in the DHCP daemon's
init script ("/etc/init.d/dhcpd"). A local attacker could use this flaw to
overwrite an arbitrary file with the output of the "dhcpd -t" command via
a symbolic link attack, if a system administrator executed the DHCP init
script with the "configtest", "restart", or "reload" option.
(CVE-2009-1893)
|
| Alerts: |
|
Comments (none posted)
dhcp: denial of service
| Package(s): | dhcp3 |
CVE #(s): | CVE-2009-1892
|
| Created: | July 15, 2009 |
Updated: | December 4, 2009 |
| Description: |
From the Debian advisory:
Christoph Biedl discovered that the DHCP server may terminate when
receiving certain well-formed DHCP requests, provided that the server
configuration mixes host definitions using "dhcp-client-identifier"
and "hardware ethernet". This vulnerability only affects the lenny
versions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892)
|
| Alerts: |
|
Comments (none posted)
djbdns: unconstrained offsets
| Package(s): | djbdns |
CVE #(s): | CVE-2009-0858
|
| Created: | July 14, 2009 |
Updated: | July 15, 2009 |
| Description: |
From the Debian advisory: Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain Name System server, does not constrain offsets in the required manner, which allows remote attackers with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain.
|
| Alerts: |
|
Comments (none posted)
libtiff: arbitrary code execution
| Package(s): | tiff |
CVE #(s): | CVE-2009-2347
|
| Created: | July 14, 2009 |
Updated: | March 8, 2011 |
| Description: |
From the Ubuntu advisory: Tielei Wang and Tom Lane discovered that the TIFF library did not correctly handle certain malformed TIFF images. If a user or automated system were tricked into processing a malicious image, an attacker could execute arbitrary code with the privileges of the user invoking the program.
|
| Alerts: |
|
Comments (none posted)
mumbles: unsafe shell usage
| Package(s): | mumbles |
CVE #(s): | |
| Created: | July 13, 2009 |
Updated: | July 15, 2009 |
| Description: |
From the Red Hat bugzilla entry:
The Firefox plugin uses os.system in an insecure fashion.
Version-Release number of selected component (if applicable):
mumbles-0.4-1.fc10
def open_uri(self, uri):
mime_type = gnomevfs.get_mime_type(uri)
application = gnomevfs.mime_get_default_application(mime_type)
os.system(application[2] + ' "' + uri + '" &')
This would be much better written to use the subprocess module and use an
argument list like [application[2], uri], or else by using the shell's own
substitution mechanism like this:
os.environ['URI'] = uri
os.system(application[2] + ' "$URI" &')
|
| Alerts: |
|
Comments (none posted)
sork-passwd-h3: cross-site scripting
| Package(s): | sork-passwd-h3 |
CVE #(s): | CVE-2009-2360
|
| Created: | July 13, 2009 |
Updated: | September 14, 2009 |
| Description: |
From the Debian advisory:
It was discovered that sork-passwd-h3, a Horde3 module for users to
change their password, is prone to a cross-site scripting attack via the
backend parameter.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
