By Jake Edge
December 16, 2009
In the currently ongoing Linux kernel merge window, for the kernel which will
become 2.6.33, a new TCP feature has been added. TCP
cookie transactions [PDF] are meant to eliminate various kinds of
attacks, such as denial of service, while making the TCP connection
handshake use fewer resources. One of the main motivations for cookie
transactions is to avoid some problems that have cropped up in rolling out
DNSSEC (Domain Name System Security).
DNSSEC responses are substantially larger than those of DNS, large enough
that they have outgrown the default UDP datagram size of 512 bytes. UDP is
generally used for DNS today, but large responses from DNSSEC over UDP
result in multiple IP fragments. While it is perfectly reasonable to break
up UDP packets that way, there are a large number of Network Address
Translation (NAT) routers and firewalls that do not properly handle
multiple UDP fragments.
When a DNS response is not received—or not received properly—a
DNS resolver will typically retry the request over TCP. Because TCP
is connection-oriented, there is a handshake that goes on to establish that
connection before any data gets transferred. Normally, servers need to
save some state between the two client packets that constitute the
handshake. When handling an enormous number of requests, as the DNS root
servers will for example, the storage of the state information adds up quickly. In
addition, the well-known SYN-flood attack sends just the first packet of
the handshake, often from a spoofed IP address, and never replies to the
server to complete the connection. Enough "half open" connections can
exhaust the server's resources, leading to a denial of service.
SYN cookies were created to
defend against SYN flood attacks, and have been in the Linux kernel since
1997 when those attacks were raging. But, as Perry Metzger, William Allen
Simpson, and Paul Vixie describe in their TCP cookie transactions (TCPCT)
paper linked above, SYN cookies are only used when a system is under
attack. They are a clever hack that uses the TCP sequence number to allow servers to defer using
resources until they receive the second handshake packet from the client.
Crucially, SYN cookies did not require client support, so they could be
deployed unilaterally on the server side.
Various other mechanisms have been proposed to handle these problems over
the years but, as outlined in the paper, failed to completely solve the
problem. TCPCT sets out to do just that. It adds a new TCP option that
contains a much larger, cryptographically secure cookie that is sent by the
client in the initial handshake (SYN) packet. The server can then create a
cookie for the reply that only it can decode. When the client uses that
cookie in its second handshake (the third overall of the three-way
handshake), the server can recover all of the information it needs to
establish the connection from the cookie.
In addition, TCPCT allows for a limited amount of data to be sent in the
request from the client and reply from the server, which allows for a
query/response like DNS to be handled as part of the connection
establishment. In those cases, the connection is torn down as soon as it
is established.
TCPCT also addresses another problem that heavily used servers often
have: port exhaustion. The TCP protocol requires that there be a timeout
before port numbers are reused so that old messages that get delivered do
not get confused with those of a newly-established connection. This is the TIME_WAIT
timeout (usually four minutes) that is often annoying to those who restart
server programs frequently (at least those without the
SO_REUSEADDR socket flag). There are a limited number of ports
available (nominally 64K, but at least 1K are reserved), an active
server may have all of its free ports in the TIME_WAIT state. Because
TCPCT can distinguish new and old connections based on the cookie data, it
no longer has to wait on the server side. Only clients need wait out the
TIME_WAIT period.
Obviously, TCPCT requires client support, and it will be some time
before most operating systems have that support. As is often the case,
Linux is out ahead of the pack by supporting TCPCT in the mainline. But
even for Linux, it will be quite some time before 2.6.33 kernels make their
way out to users via their distributions. Given that, widespread DNSSEC
deployment seems quite a few years off, something that is a bit
disheartening given all of the recent DNS server issues.
Comments (7 posted)
Brief items
Amarok hacker Mark Kretschmann
looks at the recent
malware hidden in a GNOME screen saver. As he points out, it certainly isn't a GNOME-specific problem, as the same thing could happen to KDE and other projects. He and Ian Monroe came up with a way to help alleviate the problem by requiring public version control for Amarok scripts. "
With a VCS [version control system], it's very easy to tell who inserted Malware, and when this person did this. This fact alone would provide some accountability, and I think it might prevent a good deal of attempts of messing around with the code. And even if it happened anyway, it would be trivial to revert the change, and we would just ban the person who did this from ever committing to this repository again."
Comments (57 posted)
New vulnerabilities
asterisk: denial of service
| Package(s): | asterisk |
CVE #(s): | CVE-2009-4055
|
| Created: | December 11, 2009 |
Updated: | June 4, 2010 |
| Description: |
From the CVE entry:
rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11; Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote attackers to cause a denial of service (daemon crash) via an RTP comfort noise payload with a long data length. |
| Alerts: |
|
Comments (none posted)
asterisk: multiple vulnerabilities
| Package(s): | asterisk |
CVE #(s): | CVE-2008-3903
CVE-2009-3727
CVE-2007-2383
|
| Created: | December 15, 2009 |
Updated: | June 4, 2010 |
| Description: |
From the Debian advisory:
It is possible to determine a valid SIP username, when Digest
authentication and authalwaysreject are enabled (AST-2009-003). (CVE-2008-3903)
It is possible to determine a valid SIP username via multiple crafted
REGISTER messages (AST-2009-008). (CVE-2009-3727)
It was discovered that asterisk contains an obsolete copy of the
Prototype JavaScript framework, which is vulnerable to several security
issues. This copy is unused and now removed from asterisk
(AST-2009-009). (CVE-2007-2383)
|
| Alerts: |
|
Comments (none posted)
cacti: cross-site scripting
| Package(s): | cacti |
CVE #(s): | CVE-2009-4032
|
| Created: | December 16, 2009 |
Updated: | August 24, 2010 |
| Description: |
Cacti suffers from several cross-site scripting vulnerabilities. |
| Alerts: |
|
Comments (none posted)
Cacti: privilege escalation
| Package(s): | cacti |
CVE #(s): | CVE-2009-4112
|
| Created: | December 16, 2009 |
Updated: | January 12, 2010 |
| Description: |
Cacti allows authenticated administrator users to gain access to the host system and execute arbitrary commands via the "Linux: Get Memory Usage" setting. Note that no fix for this problem is available as of this writing; administrative access should simply not be given to untrusted users. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
firefox-sage: insufficient input sanitizing
| Package(s): | firefox-sage |
CVE #(s): | CVE-2009-4102
|
| Created: | December 15, 2009 |
Updated: | December 16, 2009 |
| Description: |
From the Debian advisory:
It was discovered that firefox-sage, a lightweight RSS and Atom feed
reader for Firefox, does not sanitize the RSS feed information
correctly, which makes it prone to a cross-site scripting and a
cross-domain scripting attack.
|
| Alerts: |
|
Comments (none posted)
gpdf: buffer overflow
| Package(s): | gpdf |
CVE #(s): | CVE-2009-4035
|
| Created: | December 16, 2009 |
Updated: | February 16, 2010 |
| Description: |
The type-1 font parser in gpdf suffers from a buffer overflow, exploitable via a maliciously-crafted PDF file. |
| Alerts: |
|
Comments (none posted)
kdebase-runtime: missing input validation
| Package(s): | kdebase-runtime |
CVE #(s): | |
| Created: | December 11, 2009 |
Updated: | December 16, 2009 |
| Description: |
From the Ubuntu advisory:
It was discovered that the KIO subsystem of KDE did not properly perform
input validation when processing help:// URIs. If a user or KIO application
processed a crafted help:// URI, an attacker could trigger JavaScript
execution or access files via directory traversal. |
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2009-4131
|
| Created: | December 10, 2009 |
Updated: | January 21, 2010 |
| Description: |
From the Ubuntu alert:
Akira Fujita discovered that the Ext4 "move extents" ioctl did not
correctly check permissions. A local attacker could exploit this to
overwrite arbitrary files on the system, leading to root privilege
escalation. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-4021
|
| Created: | December 14, 2009 |
Updated: | March 1, 2010 |
| Description: |
From the SUSE advisory:
CVE-2009-4021: The fuse_direct_io function in fs/fuse/file.c in the
fuse subsystem in the Linux kernel might allow attackers to cause a
denial of service (invalid pointer dereference and OOPS) via vectors
possibly related to a memory-consumption attack.
|
| Alerts: |
|
Comments (none posted)
merkaartor: symbolic link vulnerability
| Package(s): | merkaartor |
CVE #(s): | CVE-2009-4193
|
| Created: | December 16, 2009 |
Updated: | December 16, 2009 |
| Description: |
Merkaartor suffers from a symbolic link vulnerability on /tmp/merkaartor.log, allowing a local attacker to append data to arbitrary files. |
| Alerts: |
|
Comments (none posted)
moodle: multiple vulnerabilities
| Package(s): | moodle |
CVE #(s): | |
| Created: | December 11, 2009 |
Updated: | December 16, 2009 |
| Description: |
From the Red
Hat bugzilla:
Moodle upstream has released latest stable versions (1.9.7 and 1.8.11),
fixing multiple security issues. |
| Alerts: |
|
Comments (none posted)
mysql: denial of service
| Package(s): | mysql |
CVE #(s): | CVE-2009-4019
|
| Created: | December 11, 2009 |
Updated: | May 10, 2010 |
| Description: |
From the CVE entry:
mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement. |
| Alerts: |
|
Comments (none posted)
postgresql: multiple vulnerabilities
| Package(s): | postgresql |
CVE #(s): | CVE-2009-4034
CVE-2009-4136
|
| Created: | December 15, 2009 |
Updated: | May 28, 2010 |
| Description: |
From the Mandriva advisory:
NULL Bytes in SSL Certificates can be used to falsify client or server
authentication. This only affects users who have SSL enabled, perform
certificate name validation or client certificate authentication,
and where the Certificate Authority (CA) has been tricked into
issuing invalid certificates. The use of a CA that can be trusted to
always issue valid certificates is recommended to ensure you are not
vulnerable to this issue (CVE-2009-4034).
Privilege escalation via changing session state in an index
function. This closes a corner case related to vulnerabilities
CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136).
|
| Alerts: |
|
Comments (none posted)
rt3: session hijack
| Package(s): | rt3 |
CVE #(s): | CVE-2009-4151
|
| Created: | December 11, 2009 |
Updated: | December 16, 2009 |
| Description: |
From the CVE entry:
Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585. |
| Alerts: |
|
Comments (none posted)
rubygem-actionpack: strip_tags function weakness
| Package(s): | rubygem-actionpack |
CVE #(s): | CVE-2009-4214
|
| Created: | December 10, 2009 |
Updated: | September 5, 2011 |
| Description: |
From the Fedora bug report:
There is a weakness in the strip_tags function in ruby on rails. Due to
a bug in the parsing code inside HTML::Tokenizer regarding non-printable
ascii characters, an attacker can include values which certain browsers
will then evaluate. |
| Alerts: |
|
Comments (none posted)
webkit: multiple vulnerabilities
| Package(s): | webkit |
CVE #(s): | CVE-2009-1714
CVE-2009-1710
CVE-2009-1697
CVE-2009-1695
CVE-2009-1693
CVE-2009-1694
CVE-2009-1681
CVE-2009-1684
CVE-2009-1692
|
| Created: | December 14, 2009 |
Updated: | January 25, 2011 |
| Description: |
From the Debian advisory:
CVE-2009-1714:
Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit allows
user-assisted remote attackers to inject arbitrary web script or HTML, and read
local files, via vectors related to the improper escaping of HTML attributes.
CVE-2009-1710:
WebKit allows remote attackers to spoof the browser's display of the host name,
security indicators, and unspecified other UI elements via a custom cursor in
conjunction with a modified CSS3 hotspot property.
CVE-2009-1697:
CRLF injection vulnerability in WebKit allows remote attackers to inject HTTP
headers and bypass the Same Origin Policy via a crafted HTML document, related
to cross-site scripting (XSS) attacks that depend on communication with
arbitrary web sites on the same server through use of XMLHttpRequest without a
Host header.
CVE-2009-1695:
Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to
inject arbitrary web script or HTML via vectors involving access to frame
contents after completion of a page transition.
CVE-2009-1693:
WebKit allows remote attackers to read images from arbitrary web sites via a
CANVAS element with an SVG image, related to a "cross-site image capture issue."
CVE-2009-1694:
WebKit does not properly handle redirects, which allows remote attackers to read
images from arbitrary web sites via vectors involving a CANVAS element and
redirection, related to a "cross-site image capture issue."
CVE-2009-1681:
WebKit does not prevent web sites from loading third-party content into a
subframe, which allows remote attackers to bypass the Same Origin Policy and
conduct "clickjacking" attacks via a crafted HTML document.
CVE-2009-1684:
Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to
inject arbitrary web script or HTML via an event handler that triggers script
execution in the context of the next loaded document.
CVE-2009-1692:
WebKit allows remote attackers to cause a denial of service (memory consumption
or device reset) via a web page containing an HTMLSelectElement object with a
large length attribute, related to the length property of a Select object.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
