|
|
| |
|
| |
Security
By Jake Edge
October 28, 2009
Physical security is important. The "Evil
Maid" attack serves as a reminder that briefly allowing a laptop out of
your control, even with an
encrypted hard disk, means that all security bets are off—the machine
should be considered potentially compromised. Obviously different users
have different levels of paranoia about their data security, but the Evil
Maid attack shows just how simple it can be for others to access your data.
There is nothing particularly new in the proof-of-concept (PoC) attack against
TrueCrypt disk encryption software,
but the simplicity of the approach should give one pause. Joanna Rutkowska
described
the attack back in January, but the need for physical computer security goes
back much further than that. But, folks are less wary of physical attacks
against laptops today because of whole-disk encryption. Rutkowska's
PoC, along with last year's report on "cold boot" attacks, should
make it clear that encryption—at least without some kind of Trusted
Platform Module (TPM) support—is not a complete solution
The basic idea behind Evil Maid is that someone gets access to a laptop for
a fairly short period of time (a few minutes), and, in that time, boots it
from a USB key. One obvious vector is a hotel maid (or someone acting as
one), who enters someone's room while they are out to dinner, which is what
gives the attack its name. The USB key contains a payload that hooks the
TrueCrypt password prompting code and stores the last password entered.
The payload gets added to the Master Boot Record (MBR) of the laptop so
that it becomes active on the next boot.
While it has not been implemented in the PoC, there is no reason that the
malware couldn't send the password off via the network; currently it just
reports it back the next time the Evil Maid USB key is booted. That would
require the attacker to access the laptop twice—with its user typing in
the encryption key in between—but a multi-day hotel stay would give
ample opportunity for that to occur.
As Bruce Schneier points
out, this attack is in no way limited to TrueCrypt, as other solutions
suffer from the same vulnerabilities. Both Schneier and Rutkowska look at
some potential workarounds, but, in the final analysis, physical access
allows an attacker too many ways around these security measures. Even
Trusted Computing, with appropriate TPM hardware, can succumb to certain
kinds of attacks.
Microsoft's BitLocker drive encryption uses the TPM, which provides
reasonable assurance that the right code is being booted, but even that can
fall prey to Evil Maid-style attacks, as Rutkowska describes:
Namely the Evil Maid for Bitlocker would have to display a fake Bitlocker
prompt (that could be identical to the real Bitlocker prompt), but after
obtaining a correct password from the user Evil Maid would not be able to
pass the execution to the real Bitlocker code, as the SRTM [Static Root of
Trust Measurement] chain will be
broken. Instead, Evil Maid would have to pretend that the password was
wrong, uninstall itself, and then reboot the platform. Thus, a Bitlocker
user that is confident that he or she entered the correct password, but the
OS didn't boot correctly, should destroy the laptop.
Rutkowska also describes a "Poor Man's Solution" which calculates hashes of
various unencrypted portions of the disk (especially the MBR). The Disk
Hasher is a bootable Linux-based USB key that calculates and stores the
hashes on the USB key, as well as verifying the correct hashes prior to
booting. As she points out, it only protects against disk-based
attacks—BIOS reflashing would subvert Disk Hasher.
Requiring a password in the BIOS before booting is another possible
workaround, but one that may not provide as much security as it at first
seems. BIOS reflashing is one possible attack, but an easier—though more
time-consuming than the "standard" Evil Maid attack—method would be
to remove the disk, attach it to another laptop and install the necessary
code. It also adds complexity to the attack, but the 5-15 minutes needed
to swap out
a laptop hard disk is not all that difficult to come by in the hotel scenario.
This PoC, along with other attacks against encrypted disks, is very
useful to remind users that hard disk encryption is no panacea. You still
must consider which kinds of threats you are trying to protect against.
Disk encryption is great for preventing accidental disclosure of private
information when someone steals a laptop, but is much less useful for an
attack that is focused on accessing the data on a particular laptop. Much
like internet security, fairly straightforward protection techniques are
fine to thwart the random attacker but are probably insufficient for one
who is focused on subverting your defenses in particular.
Comments (25 posted)
Brief items
Mozilla has announced the availability of Firefox 3.5.4 and 3.0.15. Each fixes some fairly serious sounding security problems ( 3.5.4, 3.0.15) including multiple "critical" flaws. " We strongly recommend that all Firefox users upgrade to this latest
release. If you already have Firefox 3.5 or Firefox 3, you will
receive an automated update notification within 24 to 48 hours. This
update can also be applied manually by selecting "Check for
Updates..." from the Help menu.
" Distribution updates will presumably be available soon as well.
Full Story (comments: none)
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2007-0048
CVE-2009-2979
CVE-2009-2980
CVE-2009-2981
CVE-2009-2982
CVE-2009-2983
CVE-2009-2985
CVE-2009-2986
CVE-2009-2988
CVE-2009-2990
CVE-2009-2991
CVE-2009-2993
CVE-2009-2994
CVE-2009-2996
CVE-2009-2997
CVE-2009-2998
CVE-2009-3431
CVE-2009-3458
CVE-2009-3459
CVE-2009-3462
|
| Created: | October 26, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the CVE entries:
CVE-2007-0048: Adobe Acrobat Reader Plugin before 8.0.0, and possibly the plugin distributed with Adobe Reader 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2, when used with Internet Explorer, Google Chrome, or Opera, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL, related to a "cross-site scripting issue."
CVE-2009-2979: Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 do not properly perform XMP-XML entity expansion, which allows remote attackers to cause a denial of service via a crafted document.
CVE-2009-2980: Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors.
CVE-2009-2981: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to bypass intended Trust Manager restrictions via unspecified vectors.
CVE-2009-2982: An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow remote attackers to conduct a "social engineering attack" via unknown vectors.
CVE-2009-2983: Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.
CVE-2009-2985: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2996.
CVE-2009-2986: Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.
CVE-2009-2988: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which allows attackers to cause a denial of service via unspecified vectors.
CVE-2009-2990: Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.
CVE-2009-2991: Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and Acrobat 8.x before 8.1.7, and possibly 7.x before 7.1.4 and 9.x before 9.2, might allow remote attackers to execute arbitrary code via unknown vectors.
CVE-2009-2993: The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly implement the (1) Privileged Context and (2) Safe Path restrictions for unspecified JavaScript methods, which allows remote attackers to create arbitrary files, and possibly execute arbitrary code, via the cPath parameter in a crafted PDF file. NOTE: some of these details are obtained from third party information.
CVE-2009-2994: Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.
CVE-2009-2996: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2985.
CVE-2009-2997: Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.
CVE-2009-2998: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-3458.
CVE-2009-3431: Stack consumption vulnerability in Adobe Reader and Acrobat 9.1.3, 9.1.2, 9.1.1, and earlier 9.x versions; 8.1.6 and earlier 8.x versions; and possibly 7.1.4 and earlier 7.x versions allows remote attackers to cause a denial of service (application crash) via a PDF file with a large number of [ (open square bracket) characters in the argument to the alert method. NOTE: some of these details are obtained from third party information.
CVE-2009-3458: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2998.
CVE-2009-3459: Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
CVE-2009-3462: Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 on Unix, when Debug mode is enabled, allow attackers to execute arbitrary code via unspecified vectors, related to a "format bug." |
| Alerts: |
|
Comments (none posted)
acroread: denial of service
| Package(s): | acroread,acroread_ja |
CVE #(s): | CVE-2009-2992
|
| Created: | October 26, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the CVE entry:
CVE-2009-2992: An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 does not properly validate input, which allows attackers to cause a denial of service via unknown vectors. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
kernel: missing initialization flaws
| Package(s): | kernel |
CVE #(s): | CVE-2005-4881
CVE-2009-3228
|
| Created: | October 22, 2009 |
Updated: | October 8, 2010 |
| Description: |
From the Red Hat alert:
multiple, missing initialization flaws were found in the Linux kernel.
Padding data in several core network structures was not initialized
properly before being sent to user-space. These flaws could lead to
information leaks. (CVE-2005-4881, CVE-2009-3228, Moderate) |
| Alerts: |
|
Comments (none posted)
kernel: buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2009-2584
|
| Created: | October 22, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the National Vulnerability Database
entry:
"Off-by-one error in the options_write function in drivers/misc/sgi-gru/gruprocfs.c in the SGI GRU driver in the Linux kernel 2.6.30.2 and earlier on ia64 and x86 platforms might allow local users to overwrite arbitrary memory locations and gain privileges via a crafted count argument, which triggers a stack-based buffer overflow. "
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2009-2695
|
| Created: | October 22, 2009 |
Updated: | March 1, 2010 |
| Description: |
From the National Vulnerability Database
entry:
"The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs. " |
| Alerts: |
|
Comments (none posted)
kernel: insufficient randomization
| Package(s): | kernel |
CVE #(s): | CVE-2009-3238
|
| Created: | October 22, 2009 |
Updated: | February 15, 2010 |
| Description: |
From the National Vulnerability Database
entry:
"The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."" |
| Alerts: |
|
Comments (none posted)
kernel: insecure file creation
| Package(s): | kernel |
CVE #(s): | CVE-2009-3286
|
| Created: | October 22, 2009 |
Updated: | February 15, 2010 |
| Description: |
From the National Vulnerability Database
entry:
"NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does not properly clean up an inode when an O_EXCL create fails, which causes files to be created with insecure settings such as setuid bits, and possibly allows local users to gain privileges, related to the execution of the do_open_permission function even when a create fails." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-3288
|
| Created: | October 22, 2009 |
Updated: | May 7, 2010 |
| Description: |
From the National Vulnerability Database
entry:
"The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | linux-2.6 |
CVE #(s): | CVE-2009-3613
|
| Created: | October 23, 2009 |
Updated: | December 22, 2009 |
| Description: |
From the Debian advisory:
Alistair Strachan reported an issue in the r8169 driver. Remote
users can cause a denial of service (IOMMU space exhaustion and
system crash) by transmitting a large amount of jumbo frames.
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2009-3612
|
| Created: | October 27, 2009 |
Updated: | February 15, 2010 |
| Description: |
From the National Vulnerability Database
entry:
The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881. |
| Alerts: |
|
Comments (none posted)
mapserver: integer overflow
| Package(s): | mapserver |
CVE #(s): | CVE-2009-2281
|
| Created: | October 23, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Debian advisory:
An integer overflow when processing HTTP requests can lead to a
heap-based buffer overflow. An attacker can use this to execute arbitrary
code either via crafted Content-Length values or large HTTP request. This
is partly because of an incomplete fix for CVE-2009-0840.
|
| Alerts: |
|
Comments (none posted)
nginx: denial of service
| Package(s): | nginx |
CVE #(s): | |
| Created: | October 27, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Debian alert:
Jasson Bell discovered that a remote attacker could cause a denial of service
(segmentation fault) by sending a crafted request. |
| Alerts: |
|
Comments (none posted)
phpmyadmin: multiple vulnerabilities
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2009-3696
CVE-2009-3697
|
| Created: | October 26, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the CVE entries:
CVE-2009-3696: Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.
CVE-2009-3697: SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. |
| Alerts: |
|
Comments (none posted)
poppler: denial of service
| Package(s): | poppler |
CVE #(s): | CVE-2009-3605
|
| Created: | October 23, 2009 |
Updated: | March 5, 2010 |
| Description: |
From the Ubuntu advisory:
It was discovered that poppler contained multiple security issues when
parsing malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause a denial of
service or execute arbitrary code with privileges of the user invoking the
program.
|
| Alerts: |
|
Comments (none posted)
python-markdown2: multiple vulnerabilities
| Package(s): | python-markdown2 |
CVE #(s): | |
| Created: | October 27, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Fedora alert:
Update from 1.0.1.11 to 1.0.1.15, which fixes some issues, including these two
security-related bugs: - [Issue 30] Fix a possible XSS via JavaScript injection
in a carefully crafted image reference (usage of double-quotes in the URL). -
[Issue 29] Fix security hole in the md5-hashing scheme for handling HTML chunks
during processing. |
| Alerts: |
|
Comments (none posted)
rubygem-actionpack: information leak
| Package(s): | rubygem-actionpack |
CVE #(s): | CVE-2009-3086
|
| Created: | October 26, 2009 |
Updated: | June 15, 2011 |
| Description: |
From the CVE entry:
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. |
| Alerts: |
|
Comments (none posted)
sahana: file exposure vulnerability
| Package(s): | sahana |
CVE #(s): | |
| Created: | October 27, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Fedora
bug report:
The first issue would allow an attacker to touch/modify any file on the system.
Essentially the issue is that get, post, and requests aren't sanitized or
unescaped. |
| Alerts: |
|
Comments (none posted)
slim: current directory exposure in default path
| Package(s): | slim |
CVE #(s): | |
| Created: | October 27, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Fedora
bug report:
The SLiM display manager includes the current directory in it's default path
which opens up users to trojan attacks and other unexpected behavior. It
should be removed from the default config. |
| Alerts: |
|
Comments (none posted)
systemtap: multiple DOS vulnerabilities
| Package(s): | systemtap |
CVE #(s): | CVE-2009-2911
|
| Created: | October 27, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Fedora
bug report:
Multiple denial of service flaws were found in the SystemTap
instrumentation system, when the --unprivileged mode was activated:
a, Kernel stack overflow allows local attackers to cause denial of service or
execute arbitrary code via long number of parameters, provided to the print* call.
b, Kernel stack frame overflow allows local attackers to cause denial
of service via specially-crafted user-provided DWARF information.
c, Absent check(s) for the upper bound of the size of the unwind table
and for the upper bound of the size of each of the CIE/CFI records, could
allow an attacker to cause a denial of service (infinite loop). |
| Alerts: |
|
Comments (none posted)
viewvc: multiple vulnerabilities
| Package(s): | viewvc |
CVE #(s): | CVE-2009-3618
CVE-2009-3619
|
| Created: | October 26, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Tenable advisory:
Update of viewvc to version 1.0.9 fixes a cross-site
scripting (XSS) problem and enhances filtering of illegal
characters when displaying error messages (CVE-2009-3618,
CVE-2009-3619). |
| Alerts: |
|
Comments (none posted)
wordpress: denial of service
| Package(s): | wordpress |
CVE #(s): | |
| Created: | October 27, 2009 |
Updated: | October 28, 2009 |
| Description: |
From the Fedora
bug report:
A denial of service (resource exhaustion) flaw was found in the way
WordPress used to handle HTTP headers, contained in the "trackback"
message, sent to WordPress. A local, unprivileged user could
sent a specially-crafted trackback message to running instance
of WordPress, leading to its crash. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|