By Jake Edge
August 5, 2009
The annual Black Hat security conference
in Las Vegas is probably the premier security event each year—at
least for the disclosure of new vulnerabilities. The event usually has one or
more high-profile disclosures that often lead to software vendors and
projects scrambling to fix the vulnerable code. This year was no
exception, with Secure Sockets Layer (SSL) taking center stage. Two of the
vulnerabilities led to Mozilla
security updates, while others showed flaws in the certificate
authority (CA) infrastructure and browser handling of Extended Validation (EV)
SSL certificates.
The most serious problem would seem to be a disconnect between CAs and
browsers on how to handle certificates with NUL (i.e. '\0') bytes in the
domain name. CAs
have been willing to issue certificates for host/domain names containing
NULs, but
browsers were
handling them in ways that made certificate spoofing much easier. Moxie
Marlinspike and Dan Kaminsky independently discovered the problem and both
presented about it at Black Hat. Marlinspike's example was a certificate
issued for www.paypal.com\0.thoughtcrime.org, which would appear
to be a legitimate PayPal certificate to the browser user.
It has been argued that the CAs should not be issuing certificates of that
sort, especially given that C-based programs interpret NUL as the end of
string, but the browsers have a certain amount of responsibility here as
well. It's hard to see a legitimate use for a certificate with a NUL byte
as part of the domain name, but browsers could and should have used the
string length, which is specified in the certificate to determine how to
display and handle the domain name. The CAs should also stop signing such
certificates, and revoke those that they have already issued, but that, of
course, doesn't stop anyone from self-signing a certificate with a NUL byte
in the domain name.
The flaw could be exploited to do a man-in-the-middle attack against
users. An attacker who could intercept network traffic—via a
compromised, or just maliciously configured, wireless router for
example—could present one of these certificates when a victim
visited PayPal. Because the browser only looked at the host name
information before the NUL, the user would believe they had a secure
session with PayPal, when, in fact, they were talking to a host under the
attacker's control.
Marlinspike found another problem,
which only seems to have affected
the Firefox 3.0 series, in how wildcards were handled in the host names
presented in certificates. Wildcard certificates are meant to solve the
problem of multiple hosts in a given domain that need to share
certificates. So, a CA could sign a single certificate that would work for
webhost00.example.com through webhost99.example.com.
Firefox 3.0 and earlier supported a non-standard Netscape regular
expression syntax which Marlinspike found a way to exploit.
That exploit would cause a heap overflow that could allow arbitrary code
execution—another particularly nasty outcome. According to the
Mozilla advisory: "With version 3.5 Firefox switched to the more
limited industry-standard wildcard syntax instead and is not vulnerable to
this flaw."
Kaminsky's talk also covered a number of other issues with SSL certificate
handling. Red Hat's director of security response Mark Cox summarized those
problems along with their impact on various free software packages. For the
most part, they had much less impact than the NUL-byte spoofing attack,
which Cox notes as having been fixed in April for Firefox 3.5 in RHEL.
Another presentation on SSL came from Alexander Sotirov and Mike
Zusman. They
showed
that EV certificates can be replaced with valid, conventional
(aka Domain Validated or DV) certificates without changing the browsers
display to reflect the potentially reduced security. Browsers display
sites using EV certificates in green in the address bar to denote the
supposed higher security. By using a man-in-the-middle attack, and a valid
DV certificate for the domain, they were
able to send the second certificate, which caused the browser to switch
encryption keys to that contained in the DV certificate.
So the session was secured with the "lesser" DV certificate, which the
attacker controlled, but still showed the green address bar.
Zusman also gave a presentation at DefCon (which follows Black Hat) on the
reliability of the web applications that CAs use for handling certificate
requests. As might be guessed, they turn out to be vulnerable to the usual
web application suspects: cross-site scripting and SQL injection, but he
found additional problems as well. He was able to circumvent the domain
name validation used by some CAs so that he could get certificates for
domains that he did not control.
It is rather worrisome that the CAs, who are supposedly guarding the safety
of web traffic, are so lax about the security of their own applications.
As Zusman noted in the article: "If you can game a CA's validation
mechanism, they don't
get hurt — they might even make some money. [Those] who suffer are those
who use the Internet."
SSL is an important part of the web infrastructure that users must rely on
daily to protect their communications with sensitive sites. It is not
surprising that it would be targeted by security researchers, nor is it all
that surprising that problems were found. While attacks against these
specific problems may be difficult to pull off in practice, they represent
holes that clearly need to be filled. If security researchers are finding
these kinds of problems, it's pretty likely that attackers are finding them
as well—but the attackers are much less likely to tell us about it at
Black Hat.
Comments (5 posted)
Brief items
The SquirrelMail team has sent out a notice saying that three plugins
(sasql, multilogin, and change_pass) were compromised on the project's
server. "
Parts of these code changes attempts to send mail to an offsite
server containing passwords. We cannot establish a timeline of when
these plugins were compromised. If you are a user of these plugins,
it is strongly recommended you download a fresh copy from the
plugins repository." Changing passwords and looking for intrusions
might also be a good idea.
Full Story (comments: 6)
New vulnerabilities
django: file request forgery
| Package(s): | django |
CVE #(s): | |
| Created: | August 4, 2009 |
Updated: | August 5, 2009 |
| Description: |
From the Django
security advisory: Django includes a lightweight, WSGI-based web server
for use in learning Django and in testing new applications during early
stages of development. For sake of convenience, this web server
automatically maps certain URLs corresponding to the static media files
used by the Django administrative application. The handler which maps
these URLs did not properly check the requested URL to verify that it
corresponds to a static media file used by Django. As such, a
carefully-crafted URL can cause the development server to serve any file to
which it has read access. |
| Alerts: |
|
Comments (none posted)
drupal-date: cross site scripting
| Package(s): | drupal-date |
CVE #(s): | |
| Created: | July 31, 2009 |
Updated: | September 21, 2009 |
| Description: |
From the Fedora advisory: The Date module provides a date CCK field that
can be added to any content type. The Date Tools module that is bundled
with Date module does not properly escape user input when displaying
labels for fields on a content type. A malicious user with the 'use date
tools' permission of the Date Tools sub-module, or the 'administer content
types' permission could attempt a cross site scripting [1] (XSS) attack
when creating a new content type, leading to the user gaining full
administrative access. |
| Alerts: |
|
Comments (none posted)
firebird: denial of service
| Package(s): | firebird |
CVE #(s): | CVE-2009-2620
|
| Created: | August 3, 2009 |
Updated: | September 1, 2009 |
| Description: |
From the Mandriva advisory:
src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before
1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2
allows remote attackers to cause a denial of service (daemon crash)
via a malformed op_connect_request message that triggers an infinite
loop or NULL pointer dereference (CVE-2009-2620). |
| Alerts: |
|
Comments (none posted)
firefox: integer overflow
| Package(s): | firefox |
CVE #(s): | CVE-2009-2468
|
| Created: | July 31, 2009 |
Updated: | August 5, 2009 |
| Description: |
From the CVE entry: Integer overflow in CoreGraphics in Apple Mac OS X, as used in Mozilla Firefox before 3.0.12, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long text run that triggers a heap-based buffer overflow during font glyph rendering, a related issue to CVE-2009-1194. |
| Alerts: |
|
Comments (none posted)
firefox: heap overflow in certificate regexp parsing
| Package(s): | firefox |
CVE #(s): | CVE-2009-2404
|
| Created: | August 4, 2009 |
Updated: | March 31, 2010 |
| Description: |
From the Mozilla
advisory: Moxie Marlinspike reported a heap overflow vulnerability in
the code that handles regular expressions in certificate names. This
vulnerability could be used to compromise the browser and run arbitrary
code by presenting a specially crafted certificate to the client. This code
provided compatibility with the non-standard regular expression syntax
historically supported by Netscape clients and servers. With version 3.5
Firefox switched to the more limited industry-standard wildcard syntax
instead and is not vulnerable to this flaw. |
| Alerts: |
|
Comments (none posted)
firefox: compromise of SSL-protected communication
| Package(s): | firefox |
CVE #(s): | CVE-2009-2408
|
| Created: | August 4, 2009 |
Updated: | October 5, 2010 |
| Description: |
From the Mozilla
advisory: IOActive security researcher Dan Kaminsky reported a mismatch
in the treatment of domain names in SSL certificates between SSL clients
and the Certificate Authorities (CA) which issue server certificates. In
particular, if a malicious person requested a certificate for a host name
with an invalid null character in it most CAs would issue the certificate
if the requester owned the domain specified after the null, while most SSL
clients (browsers) ignored that part of the name and used the unvalidated
part in front of the null. This made it possible for attackers to obtain
certificates that would function for any site they wished to target. These
certificates could be used to intercept and potentially alter encrypted
communication between the client and a server such as sensitive bank
account transactions. |
| Alerts: |
|
Comments (none posted)
firefox: address spoofing
| Package(s): | firefox xulrunner |
CVE #(s): | CVE-2009-2654
|
| Created: | August 5, 2009 |
Updated: | December 22, 2009 |
| Description: |
The firefox browser allows attackers to spoof the information in the address bar, facilitating phishing attacks. Fixes are in versions 3.0.13 and 3.5.2. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | |
| Created: | August 5, 2009 |
Updated: | August 5, 2009 |
| Description: |
Firefox 3.5.2 fixes a number of vulnerabilities, two of which are labeled "critical." |
| Alerts: |
|
Comments (none posted)
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin |
CVE #(s): | CVE-2009-1862
CVE-2009-1863
CVE-2009-1864
CVE-2009-1865
CVE-2009-1866
CVE-2009-1867
CVE-2009-1868
CVE-2009-1869
CVE-2009-1870
|
| Created: | July 31, 2009 |
Updated: | August 7, 2009 |
| Description: |
From the Red Hat advisory:
Multiple security flaws were found in the way Flash Player displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
possibly, execute arbitrary code when the victim loaded a page containing
the specially-crafted SWF content. (CVE-2009-1862, CVE-2009-1863,
CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1868, CVE-2009-1869)
A clickjacking flaw was discovered in Flash Player. A specially-crafted
SWF file could trick a user into unintentionally or mistakenly clicking a
link or a dialog. (CVE-2009-1867)
A flaw was found in the Flash Player local sandbox. A specially-crafted
SWF file could cause information disclosure when it was saved to the hard
drive. (CVE-2009-1870)
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-1388
|
| Created: | August 4, 2009 |
Updated: | August 5, 2009 |
| Description: |
From the CVE entry: The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread. |
| Alerts: |
|
Comments (none posted)
nspr, nss:weak hash signatures
| Package(s): | nspr, nss |
CVE #(s): | CVE-2009-2409
|
| Created: | July 31, 2009 |
Updated: | April 28, 2010 |
| Description: |
From the Red Hat advisory:
Dan Kaminsky found that browsers still accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser. NSS
now disables the use of MD2 and MD4 algorithms inside signatures by
default. (CVE-2009-2409)
|
| Alerts: |
|
Comments (none posted)
pdfedit: multiple vulnerabilities
| Package(s): | pdfedit |
CVE #(s): | |
| Created: | August 5, 2009 |
Updated: | August 5, 2009 |
| Description: |
pdfedit contains "several serious remote vulnerabilities"; see this advisory for (minimal) further information. |
| Alerts: |
|
Comments (none posted)
php4-eaccelerator: arbitrary code execution
| Package(s): | php4-eaccelerator |
CVE #(s): | CVE-2009-2353
|
| Created: | August 3, 2009 |
Updated: | August 5, 2009 |
| Description: |
From the Mandriva advisory:
encoder.php in eAccelerator allows remote attackers to execute
arbitrary code by copying a local executable file to a location under
the web root via the -o option, and then making a direct request to
this file, related to upload of image files (CVE-2009-2353).
|
| Alerts: |
|
Comments (none posted)
sssd: privilege escalation
| Package(s): | sssd |
CVE #(s): | CVE-2009-2410
|
| Created: | July 30, 2009 |
Updated: | August 5, 2009 |
| Description: |
From the Fedora alert:
If a user was added to the SSSD BE database without setting a password, the user
could ssh to the SSSD configured client and enter any password to gain access.
This update resolves this issue so users with no password set are no longer able
to login. |
| Alerts: |
|
Comments (none posted)
wordpress: cross-site scripting
| Package(s): | wordpress |
CVE #(s): | |
| Created: | August 5, 2009 |
Updated: | August 7, 2009 |
| Description: |
Wordpress prior to version 2.8.2 contains a cross-site scripting vulnerability associated with comment author URLs. |
| Alerts: |
|
Comments (none posted)
xml-security-c: authentication bypass
| Package(s): | xml-security-c |
CVE #(s): | CVE-2009-0217
|
| Created: | July 31, 2009 |
Updated: | June 4, 2010 |
| Description: |
From the CVE entry: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
