|
|
| |
|
| |
Security
By Jake Edge
December 9, 2009
A recent article
in Computerworld introduced a new product, the Pogoplug, which has a number of
interesting and useful-sounding features. It is also likely to be
something of a security headache for network administrators. It simplifies
the setup of a internet-connected storage device, but it also uses UDP in a
way that may circumvent the firewall restrictions on some networks.
As a device, the Pogoplug isn't really anything particularly special.
It consists of an ARM processor with a bit of memory and flash, along with
some USB ports and a gigabit ethernet connector. None of the technical
capabilities of the Pogoplug are terribly sophisticated, but
as would be expected for a consumer device like this, it runs Linux under
the covers. It is the service
that is provided by CloudEngines, the company behind Pogoplug, that turns it
into something beyond a simple embedded Linux box.
To use the Pogoplug, you connect it to the ethernet, a USB drive (or
stick), and power it up. After that, browse to my.pogoplug.com,
create an account, and wait a few minutes for an email with a link
containing the magic code for your Pogoplug. Clicking that link takes you
to a page that displays the contents of the USB drive attached to the
Pogoplug. And you can do that from anywhere on the internet.
The Pogoplug relies on being able to send and receive UDP packets over the
internet to and from port 4365. If that is true, based on the network the
Pogoplug is attached to, it can be accessed from anywhere else on the internet.
The device can be configured to share its data with other users via links,
RSS feeds, email notifications, and so forth. It is just the kind of
device that will be attractive to some internet-centric folks.
The device itself is not locked down and the OpenPogo site caters to developers.
There is information on the wiki about installing various other
applications such
as MySQL, Django, Ruby on Rails, etc. From that perspective, it looks like
a fun, hackable device. But it suffers from a number of pitfalls that
might bite the unwary.
To start with, ssh
is enabled with a standard root password. That makes it easy for folks
that want to change things on the device, but for those who are not
particularly savvy, it also leaves the device wide open to anyone else on
the network. Presumably the ssh functionality is not exported in whatever
UDP tunnel/encapsulation that gets established, so it is safe from ssh
logins across the internet. But home users that expect their Pogoplug to
be private from their siblings, parents, or roommates may be in for
something of a surprise.
There is also the concern that a Pogoplug could expose
data—inadvertently or maliciously—from inside a company or
other supposedly secure environment. There is nothing technically
new about what the Pogoplug can do, but it would have taken someone with
some reasonable technical skills to set something like the Pogoplug up.
Now, anyone with $129 and a 2G USB stick may be able to publish the
entirety of a
company's secrets on the web, in just a few minutes.
Certainly many or most corporate firewalls will not pass the Pogoplug
traffic, but undoubtedly some will. Various P2P applications
have caused inadvertent releases of confidential information from
employees who didn't fully understand the technology; Pogoplug is likely to
do the same. It is great for folks to be able to share their data with
their friends, but unless they fully understand how it works, there are
some holes that are pretty likely to be stepped in.
Comments (5 posted)
Brief items
IEEE Spectrum
reports on an effort to hack the GSM mobile phone standard.
" Karsten Nohl, chief research scientist with H4RDW4RE, a Sunnyvale, Calif.-based security research firm, is mounting what could be the most ambitious attempt yet to compromise the GSM phone system, which is used by over 3 billion people around the world. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. However, Nohl, who earned a Ph.D. in computer science at the University of Virginia and is a member of Germany's Chaos Computer Club (CCC), intends to go one big step further: By the end of the year, he plans to make the keys available to everyone on the Internet."
(Thanks to Evgeny Stambulchik).
Comments (30 posted)
New vulnerabilities
acpid: privilege escalation
| Package(s): | acpid |
CVE #(s): | CVE-2009-4033
|
| Created: | December 7, 2009 |
Updated: | December 28, 2009 |
| Description: |
From the Red Hat advisory:
It was discovered that acpid could create its log file ("/var/log/acpid")
with random permissions on some systems. A local attacker could use this
flaw to escalate their privileges if the log file was created as
world-writable and with the setuid or setgid bit set. (CVE-2009-4033)
|
| Alerts: |
|
Comments (none posted)
cups: integer overflow
| Package(s): | cups |
CVE #(s): | CVE-2009-0165
|
| Created: | December 8, 2009 |
Updated: | August 18, 2010 |
| Description: |
From the Mandriva advisory:
Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to g*allocn. |
| Alerts: |
|
Comments (none posted)
expat: denial of service
| Package(s): | expat |
CVE #(s): | CVE-2009-3560
|
| Created: | December 7, 2009 |
Updated: | February 11, 2011 |
| Description: |
From the Fedora advisory:
A buffer over-read flaw was found in the way Expat handles malformed UTF-8
sequences when processing XML files. A specially-crafted XML file could cause
applications using Expat to crash while parsing the file. (CVE-2009-3560)
|
| Alerts: |
|
Comments (none posted)
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin |
CVE #(s): | CVE-2009-3794
CVE-2009-3796
CVE-2009-3798
CVE-2009-3799
CVE-2009-3800
CVE-2009-3797
|
| Created: | December 9, 2009 |
Updated: | January 4, 2010 |
| Description: |
From the Red Hat advisory:
Multiple security flaws were found in the way Flash Player displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
possibly, execute arbitrary code when the victim loaded a page containing
the specially-crafted SWF content. (CVE-2009-3794, CVE-2009-3796,
CVE-2009-3798, CVE-2009-3799, CVE-2009-3800)
|
| Alerts: |
|
Comments (none posted)
gforge: symlink attack vulnerability
| Package(s): | gforge |
CVE #(s): | CVE-2009-3304
|
| Created: | December 4, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Debian alert:
Sylvain Beucler discovered that gforge, a collaborative development
tool, is prone to a symlink attack, which allows local users to perform
a denial of service attack by overwriting arbitrary files. |
| Alerts: |
|
Comments (none posted)
gnome-screensaver: lock bypass
| Package(s): | gnome-screensaver |
CVE #(s): | |
| Created: | December 8, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Ubuntu advisory:
It was discovered that gnome-screensaver did not always re-enable itself
after applications requested it to ignore idle timers. This may result in the
screen not being automatically locked after the inactivity timeout is
reached, permitting an attacker with physical access to gain access to an
unlocked session. |
| Alerts: |
|
Comments (none posted)
grub2: authentication bypass
| Package(s): | grub2 |
CVE #(s): | CVE-2009-4128
|
| Created: | December 9, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Ubuntu advisory:
It was discovered that GRUB 2 did not properly validate passwords. An
attacker with physical access could conduct a brute force attack and bypass
authentication by submitting a 1 character password.
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux, linux-source-2.6.15 |
CVE #(s): | CVE-2009-3080
CVE-2009-3623
CVE-2009-3624
CVE-2009-3722
CVE-2009-3725
CVE-2009-3888
CVE-2009-4005
CVE-2009-4026
CVE-2009-4027
|
| Created: | December 7, 2009 |
Updated: | March 21, 2011 |
| Description: |
From the Ubuntu advisory:
Dave Jones discovered that the gdth SCSI driver did not correctly validate
array indexes in certain ioctl calls. A local attacker could exploit
this to crash the system or gain elevated privileges. (CVE-2009-3080)
J. Bruce Fields discovered that NFSv4 did not correctly use the credential
cache. A local attacker using a mount with AUTH_NULL authentication
could exploit this to crash the system or gain root privileges. Only
Ubuntu 9.10 was affected. (CVE-2009-3623)
Alexander Zangerl discovered that the kernel keyring did not correctly
reference count. A local attacker could issue a series of specially
crafted keyring calls to crash the system or gain root privileges.
Only Ubuntu 9.10 was affected. (CVE-2009-3624)
Avi Kivity discovered that KVM did not correctly check privileges when
accessing debug registers. A local attacker could exploit this to
crash a host system from within a guest system, leading to a denial of
service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722)
Philip Reisner discovered that the connector layer for uvesafb, pohmelfs,
dst, and dm did not correctly check capabilties. A local attacker could
exploit this to crash the system or gain elevated privileges. Ubuntu
6.06 was not affected. (CVE-2009-3725)
Robin Getz discovered that NOMMU systems did not correctly validate
NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to
allocate large amounts of memory to crash the system, leading to a denial
of service. Only Ubuntu 6.06 and 9.10 were affected. (CVE-2009-3888)
Roel Kluin discovered that the Hisax ISDN driver did not correctly
check the size of packets. A remote attacker could send specially
crafted packets to cause a system crash, leading to a denial of
service. (CVE-2009-4005)
Lennert Buytenhek discovered that certain 802.11 states were not handled
correctly. A physically-proximate remote attacker could send specially
crafted wireless traffic that would crash the system, leading to a denial
of service. Only Ubuntu 9.10 was affected. (CVE-2009-4026, CVE-2009-4027)
|
| Alerts: |
|
Comments (none posted)
kernel: unprivileged user driver vulnerability
| Package(s): | kernel |
CVE #(s): | CVE-2009-3889
CVE-2009-3939
|
| Created: | December 3, 2009 |
Updated: | March 3, 2010 |
| Description: |
From the Red Hat alert:
Permission issues were found in the megaraid_sas driver (for SAS based
RAID controllers) in the Linux kernel. The "dbg_lvl" and "poll_mode_io"
files on the sysfs file system ("/sys/") had world-writable permissions.
This could allow local, unprivileged users to change the behavior of the
driver. (CVE-2009-3889, CVE-2009-3939, Moderate)
|
| Alerts: |
|
Comments (none posted)
kernel: null pointer dereference
| Package(s): | kernel |
CVE #(s): | CVE-2009-1298
|
| Created: | December 7, 2009 |
Updated: | January 7, 2010 |
| Description: |
From the Red Hat bugzilla entry:
Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched, changing from
dev_net(dev) to container_of(...). Unfortunately the goto section (out_fail)
on oversized packets inside ip_frag_reasm() didn't get touched up as well.
Oversized IP packets cause a NULL pointer dereference and immediate hang.
|
| Alerts: |
|
Comments (none posted)
kvm: host denial of service
| Package(s): | kvm |
CVE #(s): | CVE-2009-4031
|
| Created: | December 9, 2009 |
Updated: | March 22, 2010 |
| Description: |
From the Red Hat advisory:
On x86 platforms, the do_insn_fetch() function did not limit the amount of
instruction bytes fetched per instruction. Users in guest operating systems
could leverage this flaw to cause large latencies on SMP hosts that could
lead to a local denial of service on the host operating system. This
update fixes this issue by imposing the architecturally-defined 15 byte
length limit for instructions. (CVE-2009-4031)
|
| Alerts: |
|
Comments (none posted)
nginx: denial of service
| Package(s): | nginx |
CVE #(s): | CVE-2009-3896
|
| Created: | December 7, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the CVE entry:
src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14, 0.5.x before 0.5.38, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.14 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a long URI. |
| Alerts: |
|
Comments (none posted)
ntp: denial of service
| Package(s): | ntp |
CVE #(s): | CVE-2009-3563
|
| Created: | December 9, 2009 |
Updated: | May 7, 2010 |
| Description: |
From the Red Hat advisory:
Robin Park and Dmitri Vinokurov discovered a flaw in the way ntpd handled
certain malformed NTP packets. ntpd logged information about all such
packets and replied with an NTP packet that was treated as malformed when
received by another ntpd. A remote attacker could use this flaw to create
an NTP packet reply loop between two ntpd servers via a malformed packet
with a spoofed source IP address and port, causing ntpd on those servers to
use excessive amounts of CPU time and fill disk space with log messages.
(CVE-2009-3563)
|
| Alerts: |
|
Comments (none posted)
perl-IO-Socket-SSL: invalid certificate checking
| Package(s): | perl-IO-Socket-SSL |
CVE #(s): | CVE-2009-3024
|
| Created: | December 7, 2009 |
Updated: | January 17, 2011 |
| Description: |
From the Mandriva advisory:
The verify_hostname_of_cert function in the certificate checking
feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only
matches the prefix of a hostname when no wildcard is used, which
allows remote attackers to bypass the hostname check for a certificate
(CVE-2009-3024).
|
| Alerts: |
|
Comments (none posted)
pidgin: denial of service
| Package(s): | pidgin |
CVE #(s): | CVE-2009-3025
CVE-2009-3084
|
| Created: | December 7, 2009 |
Updated: | January 13, 2010 |
| Description: |
From the Mandriva advisory:
Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers
to cause a denial of service (crash) via a link in a Yahoo IM
(CVE-2009-3025)
The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c
in the MSN protocol plugin in libpurple 2.6.0 and 2.6.1, as used in
Pidgin before 2.6.2, allows remote attackers to cause a denial of
service (application crash) via a handwritten (aka Ink) message,
related to an uninitialized variable and the incorrect UTF16-LE
charset name (CVE-2009-3084).
|
| Alerts: |
|
Comments (none posted)
qemu-kvm: guest crashes
| Package(s): | qemu-kvm |
CVE #(s): | |
| Created: | December 4, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Ubuntu advisory:
It was discovered that QEMU did not properly setup the virtio networking
features available to its guests. A remote attacker could exploit this to
crash QEMU guests which use virtio networking on Linux kernels earlier
than 2.6.26. |
| Alerts: |
|
Comments (none posted)
request-tracker: session hijack vulnerability
| Package(s): | request-tracker |
CVE #(s): | CVE-2009-3585
|
| Created: | December 3, 2009 |
Updated: | December 11, 2009 |
| Description: |
From the Debian alert:
Mikal Gule discovered that request-tracker, an extensible trouble-ticket
tracking system, is prone to an attack, where an attacker with access
to the same domain can hijack a user's RT session. |
| Alerts: |
|
Comments (none posted)
shibboleth-sp: cross-site scripting
| Package(s): | shibboleth-sp |
CVE #(s): | CVE-2009-3300
|
| Created: | December 8, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Debian advisory:
Matt Elder discovered that Shibboleth, a federated web single sign-on
system is vulnerable to script injection through redirection URLs. More
details can be found in the Shibboleth advisory at
http://shibboleth.internet2.edu/secadv/secadv_20091104.txt.
|
| Alerts: |
|
Comments (none posted)
zsh: buffer overflow
| Package(s): | zsh |
CVE #(s): | |
| Created: | December 3, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Mandriva alert:
A stack-based buffer overflow was found in the zsh command
interpreter. An attacker could use this flaw to cause a denial of
service (zsh crash), when providing a specially-crafted string as
input to the zsh shell. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|