By Jake Edge
March 17, 2010
The recently completed Linux
2.6.34 merge window included a patch
to eliminate a type of denial-of-service attack against
routers. The "Generalized TTL Security Mechanism" (GTSM) is described in
RFC 5082 as a means to
protect routers from CPU-utilization attacks—essentially overloading
the router with bogus Border Gateway Protocol (BGP) packets. With the
addition of a simple socket option, those attacks can be easily thwarted.
Time-to-live (or TTL) is an eight-bit field in an IP packet that is
initially set to some value (by default 64) on the sending host. Each host
that forwards
the packet decrements it, and if it ever reaches zero, the packet is
discarded. The idea is to eliminate the possibility of immortal packets
that continue to be forwarded in some kind of Internet loop eventually
consuming all of the bandwidth. Tools like traceroute and
ping can change the TTL values of the packets they send to
provide different kinds of information about the network.
Since TTL is already a part of IP, it can be extended in compatible ways.
The idea behind GTSM is that two applications negotiate to use a minimum
TTL value that they will accept, any packets that have a lower value will
be discarded. Because routers that are communicating via BGP—the
core Internet routing protocol—are typically adjacent (i.e. one hop
from each other), and TTL spoofing is considered to be more-or-less
impossible, the TTL value can be used to eliminate spoofed packets. By
setting the minimum TTL value to 255, and sending their packets with a TTL
of 255, two routers can ensure that they only process BGP packets from each
other.
BGP sessions typically use an MD5-based signature to authenticate the
sender. Prior to GTSM, an attacker could spoof IP packets to a router,
which looked like they came from one of its peers. It would then do the
MD5 calculation and find out that, in fact, the packet was bogus. But that
takes CPU time. Enough spoofed packets may tie up the CPU such that real
messages get lost. GTSM allows routers to drop the spoofed packets without
ever calculating the MD5 hash.
The Linux patch is rather simple and the implementation is the same as that
for BSD kernels. A new option (IP_MINTTL) is added that can be
used with setsockopt() to change the minimum TTL for a socket. If
set, the TCP code checks the value and discards packets that have smaller
TTLs.
The patch does not add support for various other protocols (e.g. UDP) nor
for the IPv6 equivalent, which is IPV6_MINHOPLIMIT.
Applications would need to negotiate the use of GTSM via some
higher-level protocol and, as the RFC points out, need to authenticate the
peer before enabling GTSM. Another kind of denial-of-service could be
performed if a bogus packet initiating IP_MINTTL is processed.
It is interesting to see a basic IP building-block like TTL being
repurposed to stop these kinds of attacks. The idea has been around for a
bit, with the first RFC
being accepted in 2004. As with many Internet security techniques, it only
came about after these CPU-utilization attacks became widespread. Each
time attackers find a new hole, various folks find some kind of fix. It is
a non-stop game of whack-a-mole, and one that isn't likely to end soon.
Comments (5 posted)
Brief items
SpamAssassin-milter
plugs SpamAssassin into mail agents which speak the "milter" protocol. It
is, evidently,
trivially easy to get this
plugin to execute commands as root when it is used with Postfix in some
configurations, and possibly with other mailers as well. There is
a bug tracker
entry where progress on a patch can be followed; the developers seem to
not be in a great hurry, despite the fact that exploits are circulating.
Sites using SpamAssassin-milter should probably just disable it for now.
(Thanks to Christof Damian).
Comments (6 posted)
New vulnerabilities
dpkg: path traversal
| Package(s): | dpkg |
CVE #(s): | CVE-2010-0396
|
| Created: | March 11, 2010 |
Updated: | March 22, 2010 |
| Description: |
From the Debian advisory:
William Grant discovered that the dpkg-source component of dpkg, the
low-level infrastructure for handling the installation and removal of
Debian software packages, is vulnerable to path traversal attacks.
A specially crafted Debian source package can lead to file modification
outside of the destination directory when extracting the package content.
|
| Alerts: |
|
Comments (none posted)
drbd8: privilege escalation
| Package(s): | drbd8 |
CVE #(s): | |
| Created: | March 16, 2010 |
Updated: | March 17, 2010 |
| Description: |
From the Debian advisory:
Philipp Reisner fixed an issue in the drbd kernel module that allows
local users to send netlink packets to perform actions that should be
restricted to users with CAP_SYS_ADMIN privileges. This is a similar
issue to those described by CVE-2009-3725. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal6 |
CVE #(s): | |
| Created: | March 15, 2010 |
Updated: | March 17, 2010 |
| Description: |
From the Debian advisory:
Several vulnerabilities (SA-CORE-2010-001) have been discovered in
drupal6, a fully-featured content management framework.
Installation cross site scripting
A user-supplied value is directly output during installation allowing a
malicious user to craft a URL and perform a cross-site scripting attack.
The exploit can only be conducted on sites not yet installed.
Open redirection
The API function drupal_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal site
to send the user to an arbitrarily provided URL.
No user submitted data will be sent to that URL.
Locale module cross site scripting
Locale module and dependent contributed modules do not sanitize the display
of language codes, native and English language names properly.
While these usually come from a preselected list, arbitrary administrator
input is allowed.
This vulnerability is mitigated by the fact that the attacker must have a
role with the 'administer languages' permission.
Blocked user session regeneration
Under certain circumstances, a user with an open session that is blocked
can maintain his/her session on the Drupal site, despite being blocked. |
| Alerts: |
|
Comments (none posted)
egroupware: multiple vulnerabilities
| Package(s): | egroupware |
CVE #(s): | |
| Created: | March 12, 2010 |
Updated: | March 17, 2010 |
| Description: |
From the Debian advisory:
Nahuel Grisolia discovered two vulnerabilities in Egroupware, a web-based
groupware suite: Missing input sanitising in the spellchecker integration
may lead to the execution of arbitrary commands and a cross-site scripting
vulnerability was discovered in the login page.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-0623
|
| Created: | March 17, 2010 |
Updated: | May 3, 2010 |
| Description: |
The kernel prior to version 2.6.33-rc7 does not properly manage futex reference counts, enabling local users to force a kernel oops. |
| Alerts: |
|
Comments (none posted)
kernel: remote denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-0008
|
| Created: | March 17, 2010 |
Updated: | July 5, 2011 |
| Description: |
A maliciously-crafted SCTP packet can cause a kernel crash on the targeted system. |
| Alerts: |
|
Comments (none posted)
kernel: null pointer dereference
| Package(s): | kernel |
CVE #(s): | CVE-2009-4271
|
| Created: | March 17, 2010 |
Updated: | June 4, 2010 |
| Description: |
The kernel can be forced to dereference a null pointer while executing a core dump, enabling a denial of service attack or possibly privilege escalation, depending on how the kernel is configured. |
| Alerts: |
|
Comments (none posted)
kernel: null pointer dereference
| Package(s): | kernel |
CVE #(s): | CVE-2010-0437
|
| Created: | March 17, 2010 |
Updated: | June 4, 2010 |
| Description: |
Due to a flaw in the IPv6 protocol implementation, a remote attacker might be able to force a null pointer dereference with hostile network traffic. |
| Alerts: |
|
Comments (none posted)
libpng: resource consumption
| Package(s): | libpng10 |
CVE #(s): | CVE-2010-0205
|
| Created: | March 16, 2010 |
Updated: | October 6, 2010 |
| Description: |
From the Red Hat bugzilla:
It was reported that libpng suffers from an issue where certain highly
compressed ancillary chunks (zTxt, iTxt, iCCP) could cause libpng to stall or crash by consuming huge amounts of memory. This vulnerability is reported to affect all versions of libpng prior to 1.4.1, as well as versions of Firefox from 3.0. It is also possible that other gecko-based browsers are vulnerable as well, as well as all versions of pngcrush, ImageMagick, and GraphicsMagick. |
| Alerts: |
|
Comments (none posted)
moin: multiple vulnerabilities
| Package(s): | moin |
CVE #(s): | CVE-2010-0668
CVE-2010-0669
CVE-2010-0717
|
| Created: | March 12, 2010 |
Updated: | October 19, 2012 |
| Description: |
From the Debian advisory:
CVE-2010-0668:
Multiple security issues in MoinMoin related to configurations that have
a non-empty superuser list, the xmlrpc action enabled, the SyncPages
action enabled, or OpenID configured.
CVE-2010-0669:
MoinMoin does not properly sanitize user profiles.
CVE-2010-0717:
The default configuration of cfg.packagepages_actions_excluded in MoinMoin
does not prevent unsafe package actions.
|
| Alerts: |
|
Comments (none posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CVE-2010-0790
CVE-2010-0791
|
| Created: | March 12, 2010 |
Updated: | June 14, 2010 |
| Description: |
From the Mandriva advisory:
sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain detailed
error messages about the results of privileged file-access attempts,
which allows local users to determine the existence of arbitrary
files via the mountpoint name (CVE-2010-0790).
The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs
2.2.6 do not properly create lock files, which allows local users
to cause a denial of service (application failure) via unspecified
vectors that trigger the creation of a /etc/mtab~ file that persists
after the program exits (CVE-2010-0791). |
| Alerts: |
|
Comments (none posted)
pango: denial of service
| Package(s): | pango |
CVE #(s): | CVE-2010-0421
|
| Created: | March 16, 2010 |
Updated: | March 2, 2011 |
| Description: |
From the Red Hat advisory:
An input sanitization flaw, leading to an array index error, was found in
the way the Pango font rendering library synthesized the Glyph Definition
(GDEF) table from a font's character map and the Unicode property database.
If an attacker created a specially-crafted font file and tricked a local,
unsuspecting user into loading the font file in an application that uses
the Pango font rendering library, it could cause that application to crash.
|
| Alerts: |
|
Comments (none posted)
pulseaudio: denial of service
| Package(s): | pulseaudio |
CVE #(s): | CVE-2009-1299
|
| Created: | March 16, 2010 |
Updated: | June 24, 2010 |
| Description: |
From the Debian advisory:
Dan Rosenberg discovered that the PulseAudio sound server creates a
temporary directory with a predictable name. This allows a local attacker
to create a Denial of Service condition or possibly disclose sensitive
information to unprivileged users.
|
| Alerts: |
|
Comments (none posted)
tar, cpio: arbitrary code execution
| Package(s): | tar cpio |
CVE #(s): | CVE-2010-0624
|
| Created: | March 16, 2010 |
Updated: | November 21, 2011 |
| Description: |
From the Red Hat advisory:
A heap-based buffer overflow flaw was found in the way tar and expand
archive
files. If a user were tricked into expanding a specially-crafted archive,
it could cause the executable to crash or execute arbitrary code with
the privileges of the user running it. |
| Alerts: |
|
Comments (none posted)
viewvc: cross-site scripting
| Package(s): | viewvc |
CVE #(s): | |
| Created: | March 16, 2010 |
Updated: | April 5, 2010 |
| Description: |
From the viewvc
changelog:
Version 1.1.4 security fix: escape user-provided query form input to avoid
XSS attack. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
