|
|
| |
|
| |
Security
By Jake Edge
July 14, 2010
A recent report clearly demonstrates that
computer security is not exempt from the "law of unintended consequences".
As DNSSEC (Domain Name System Security Extensions) is rolled out, we will
likely see various kinds of unanticipated problems in that system which is
meant to secure the internet name resolution process. One of the concerns
about DNSSEC has always been the amount of additional traffic it would
generate, as well as the processing burden on DNS servers—both of
those came into play here.
The report
from Cisco reads a bit like a detective story. A particular DNS server
saw a sudden 2-3x increase in its traffic, which at first glance appeared
to be some kind of denial of service (DoS) attack. Further investigation
showed that the query rate jumped from tens of queries per second (qps) to around
3000 qps. Because it was a DNSSEC signed zone, each query required two
responses—a key resource record (DNSKEY RR) and a signature RR (RRSIG
RR)—totaling more than 1K in size. That led to response traffic of
35 megabits per second (3000+ queries x 1K+ bytes).
When a small amount of data can be sent that generates a much larger
response, there is an "amplification" effect going on. That means that an
attacker can use much less of a resource, bandwidth say, than the victim
must use to respond. So, a small bandwidth investment, spread out over a large number
of attackers (in a DDoS, distributed DoS), can easily cause a victim to generate
more traffic than it can handle. Because DNS typically uses UDP to eliminate
the connection establishment overhead of TCP, it also makes it easier for
attackers, as they don't need to use state-tracking resources on their end.
These kinds
of amplification attacks are well-known for the existing DNS. It is also
understood that DNSSEC adds other amplification possibilities, but those
known cases were not the cause of the problem that Cisco investigated.
In analyzing the data from this event, it was determined that a very small
fraction of clients (1,000 out of 500,000-1,000,000 daily unique clients)
were making
repeated queries for the same DNSKEY RR. It could have been from some kind of
bug in certain DNS clients, but
because the event was so sudden, it suggested that there was some kind of
"external trigger". An obvious trigger would be a change to the DNS
information being served and that was in fact the case: the cryptographic
keys had been changed on the day of the traffic increase.
Normally, a key rollover is handled by keeping both keys around for an
overlap period and signing resource records with both keys during that
time. Either key can be used to verify the signature during the overlap,
and eventually the old key can be deprecated and then removed. Keys are
signed by
a parent server's key (i.e. example.com's key is signed by the
.com
server's key), all the way up to the key used to
sign the root keys. Today, those root keys are often stored locally by the
client as "Trust Anchor". If a client cannot verify a signature with
a key that it has in its cache, it will request a new key from the parent,
because it
assumes the key has changed.
Before it requests a key from the parent, though, it re-requests the key
from the server it is talking to, because it assumes that it is getting
bogus responses from some kind of attack. If it really were an attack,
that would be the right response, but if there were some misconfiguration
on the part of the client, it would just make the problem worse. It turns
out that some clients were distributed with a static set of Trust Anchors.
Once those keys were rolled over, those clients were out of date and could
no longer resolve names associated with those parts of the DNS hierarchy.
But, the amplification turns out to be quite a bit larger than just a
handful of retries for an affected server. When a client cannot verify a
signature, it will do a depth-first search of the alternative name servers,
querying each server to try to find keys that it can use. There are 14
.com name servers, and potentially several name servers for
example.com. This leads to a combinatorial explosion of sorts,
where a query for a single host name (test.example.com for
example) in a simple configuration (two example.com name servers)
leads to 844 separate queries.
Other, much worse, scenarios are described in the report. It is
interesting that perfectly reasonable behavior by clients who have ended up
with outdated information can lead to such a huge increase in the traffic
that DNS servers, especially the root servers, may have to handle. The
conclusion from the Cisco report is certainly eye-opening:
It is an inherent quality of the DNSSEC deployment that in seeking to
prevent lies, an aspect of the stability of the DNS has been weakened. When
a client falls out of synchronization with the current key state of DNSSEC,
it will mistake the current truth for an attempt to insert a lie. The
subsequent efforts of the client to perform a rapid search for what it
believes to be a truthful response could reasonably be construed as a
legitimate response, if indeed this instance was an attack on that
particular client. Indeed, to do otherwise would be to permit the DNS to
remain an untrustable source of information. However, in this situation of
slippage of synchronized key state between client and server, the effect is
both local failure and the generation of excess load on external
servers-and if this situation is allowed to become a common state, it has
the potential to broaden the failure state to a more general DNS service
failure through load saturation of critical DNS servers.
This aspect of a qualitative change of the DNS is unavoidable, and it
places a strong imperative on DNS operations and the community of the 5
million current and uncountable future DNS resolvers to understand that
"set and forget" is not the intended mode of operation of DNSSEC-equipped
clients.
The last paragraph is particularly worrisome. One would guess that a few
years down the road, most clients will be DNSSEC-equipped. And most will
be in the hands of users who know nothing about key rollover,
amplification, DoS, or, for that matter, DNS or DNSSEC. It will be up to
the vendors and distributors to ensure that the "forget" part of "set and
forget" doesn't
happen. It is not hard to
envision some kind of nasty apocalypse lurking for DNSSEC if that's not the
case.
Comments (10 posted)
Brief items
Yay
Brazil!. They're making it illegal to use DRM to prevent
"fair dealing" with copyrighted works, or access to works which are in the
public domain. It's also legal to "crack" DRM if you're only doing it for
the purpose of "fair dealing".
-- David
Woodhouse
For years we've been bombarded with scare stories about terrorists wanting to shut the Internet down. They're mostly fairy tales, but they're scary precisely because the Internet is so critical to so many things.
Why would we want to terrorize our own population by doing exactly what we
don't want anyone else to do? And a national emergency is precisely the
worst time to do it.
-- Bruce
Schneier on the "internet kill switch"
Comments (1 posted)
New vulnerabilities
abrt: unnecessary setuid
| Package(s): | abrt |
CVE #(s): | |
| Created: | July 8, 2010 |
Updated: | July 14, 2010 |
| Description: |
From the MeeGo advisory:
The file /usr/libexec/abrt-hook-python is setuid as the abrt user.
As there is no explicit reason to be setuid as the abrt user, this
violates best known practices for security; specifically by not using
the principles of least privilege and unintentionally expanding the
attackable surface area of MeeGo.
|
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CVE-2010-2431
CVE-2010-2432
|
| Created: | July 8, 2010 |
Updated: | October 10, 2011 |
| Description: |
From the Pardus advisory:
CVE-2010-2431:
The cupsFileOpen function in CUPS before 1.4.4 allows local users, with
lp group membership, to overwrite arbitrary files via a symlink attack
on the (1) /var/cache/cups/remote.cache or (2) /var/cache/cups/job.cache
file.
CVE-2010-2432:
The cupsDoAuthentication function in auth.c in the client in CUPS before
1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand
for authorization, which allows remote CUPS servers to cause a denial of
service (infinite loop) via HTTP_UNAUTHORIZED responses.
|
| Alerts: |
|
Comments (none posted)
ghostscript: multiple vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CVE-2009-4270
CVE-2009-4897
CVE-2010-1628
|
| Created: | July 14, 2010 |
Updated: | August 19, 2010 |
| Description: |
From the Ubuntu advisory:
David Srbecky discovered that Ghostscript incorrectly handled debug
logging. If a user or automated system were tricked into opening a crafted
PDF file, an attacker could cause a denial of service or execute arbitrary
code with privileges of the user invoking the program. (CVE-2009-4270)
It was discovered that Ghostscript incorrectly handled certain malformed
files. If a user or automated system were tricked into opening a crafted
Postscript or PDF file, an attacker could cause a denial of service or
execute arbitrary code with privileges of the user invoking the program. (CVE-2009-4897)
Dan Rosenberg discovered that Ghostscript incorrectly handled certain
recursive Postscript files. If a user or automated system were tricked into
opening a crafted Postscript file, an attacker could cause a denial of
service or execute arbitrary code with privileges of the user invoking the
program. (CVE-2010-1628)
|
| Alerts: |
|
Comments (none posted)
gnomine: unnecessary setgid
| Package(s): | gnomine |
CVE #(s): | |
| Created: | July 8, 2010 |
Updated: | July 15, 2010 |
| Description: |
From the MeeGo advisory:
The /usr/bin/gnomine binary is setgid for the games group. There is
no explicit reason to be setgid and this violates best known practices
for security; specifically by not using the prinicples of least
privilege and unintentionally expanding the attackable surface area of
MeeGo.
|
| Alerts: |
|
Comments (2 posted)
gv: multiple vulnerabilities
| Package(s): | gv |
CVE #(s): | CVE-2010-2055
CVE-2010-2056
|
| Created: | July 9, 2010 |
Updated: | February 6, 2012 |
| Description: |
From the Red Hat bugzilla:
a deficiency in the way gv handled temporary file creation,
when used for opening Portable Document Format (PDF) files.
A local attacker could use this flaw to conduct symlink attacks,
potentially leading to denial of service (un-athorized overwrite
of file content). (CVE-2010-2056)
From the Red Hat bugzilla:
A security flaw was found in the way gs handled its initialization:
1, certain files in current working directory were honored at startup,
2, explicit use of "-P-" command line option, did not prevent
ghostscript from execution of PostScript commands, contained
within "gs_init.ps" file.
A local attacker could use this flaw to execute arbitrary PostScript
commands, if the victim was tricked into opening a PostScript file
in the directory of attacker's intent. (CVE-2010-2055)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel kernel-pae |
CVE #(s): | CVE-2010-1641
CVE-2010-2071
CVE-2010-2066
|
| Created: | July 8, 2010 |
Updated: | March 8, 2011 |
| Description: |
From the Pardus advisory:
CVE-2010-1641:
The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel
before 2.6.34-git10 does not verify the ownership of a file, which
allows local users to bypass intended access restrictions via a SETFLAGS
ioctl request.
CVE-2010-2071:
The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux
kernel 2.6.34 and earlier does not check file ownership before setting
an ACL, which allows local users to bypass file permissions by setting
arbitrary ACLs, as demonstrated using setfacl.
CVE-2010-2066:
If the donor file is an append-only file, we should not allow the
operation to proceed, lest we end up overwriting the contents of an
append-only file.
|
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2010-2478
CVE-2010-2495
|
| Created: | July 9, 2010 |
Updated: | March 28, 2011 |
| Description: |
From the Red Hat bugzilla:
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is
unprivileged, this can presumably be used for at least denial of service. (CVE-2010-2478)
From the Red Hat bugzilla:
When transmitting L2TP frames, we derive the outgoing interface's UDP checksum
hardware assist capabilities from the tunnel dst dev. This can sometimes be
NULL, especially when routing protocols are used and routing changes occur.
This patch just checks for NULL dst or dev pointers when checking for netdev
hardware assist features. (CVE-2010-2495)
|
| Alerts: |
|
Comments (none posted)
libmikmod: arbitrary code execution
| Package(s): | libmikmod |
CVE #(s): | CVE-2009-3996
|
| Created: | July 8, 2010 |
Updated: | October 11, 2010 |
| Description: |
From the MeeGo advisory:
Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder
Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow
remote attackers to execute arbitrary code via an Ultratracker file.
|
| Alerts: |
|
Comments (none posted)
libtiff: denial of service
| Package(s): | libtiff |
CVE #(s): | CVE-2010-2598
|
| Created: | July 8, 2010 |
Updated: | March 15, 2011 |
| Description: |
From the Red Hat advisory:
An input validation flaw was discovered in libtiff. An attacker could use
this flaw to create a specially-crafted TIFF file that, when opened, would
cause an application linked against libtiff to crash. (CVE-2010-2598)
|
| Alerts: |
|
Comments (none posted)
libtiff: multiple denial of service flaws
| Package(s): | libtiff |
CVE #(s): | CVE-2010-2481
CVE-2010-2483
CVE-2010-2595
CVE-2010-2597
|
| Created: | July 8, 2010 |
Updated: | March 15, 2011 |
| Description: |
From the Red Hat advisory:
Multiple input validation flaws were discovered in libtiff. An attacker
could use these flaws to create a specially-crafted TIFF file that, when
opened, would cause an application linked against libtiff to crash.
(CVE-2010-2481, CVE-2010-2483, CVE-2010-2595, CVE-2010-2597)
|
| Alerts: |
|
Comments (none posted)
opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | CVE-2010-0653
CVE-2010-1993
|
| Created: | July 14, 2010 |
Updated: | August 2, 2010 |
| Description: |
From the openSUSE advisory:
CVE-2010-0653: Opera permits
cross-origin loading of CSS style sheets even when the
style sheet download has an incorrect MIME type and the
style sheet document is malformed, which allows remote HTTP
servers to obtain sensitive information via a crafted
document.
CVE-2010-1993: Opera 9.52 does not properly handle an
IFRAME element with a mailto: URL in its SRC attribute,
which allows remote attackers to cause a denial of service
(resource consumption) via an HTML document with many
IFRAME elements.
|
| Alerts: |
|
Comments (none posted)
pam: local root privilege escalation
| Package(s): | pam |
CVE #(s): | CVE-2010-0832
|
| Created: | July 8, 2010 |
Updated: | October 26, 2010 |
| Description: |
From the Ubuntu advisory:
Denis Excoffier discovered that the PAM MOTD module in Ubuntu did
not correctly handle path permissions when creating user file stamps.
A local attacker could exploit this to gain root privilieges.
|
| Alerts: |
|
Comments (none posted)
python-cjson: denial of service
| Package(s): | python-cjson |
CVE #(s): | CVE-2010-1666
|
| Created: | July 12, 2010 |
Updated: | July 21, 2010 |
| Description: |
From the Debian advisory:
Matt Giuca discovered a buffer overflow in python-cjson, a fast JSON
encoder/decoder for Python.
This allows a remote attacker to cause a denial of service (application crash)
through a specially-crafted Python script.
|
| Alerts: |
|
Comments (none posted)
python-mako: cross-site scripting
| Package(s): | python-mako |
CVE #(s): | CVE-2010-2480
|
| Created: | July 8, 2010 |
Updated: | September 29, 2010 |
| Description: |
From the Fedora advisory:
Fix potential single-quoting XSS vulnerability.
|
| Alerts: |
|
Comments (none posted)
qt: multiple vulnerabilities
| Package(s): | qt webkit |
CVE #(s): | CVE-2009-2841
CVE-2010-1766
CVE-2010-1772
CVE-2010-1773
|
| Created: | July 13, 2010 |
Updated: | March 2, 2011 |
| Description: |
From the Red Hat bugzilla:
A security flaw was found in the way WebKit used to handle media elements
(audio and video tags). A remote attacker could provide a specially-crafted
document, requesting loading of sub-resources (such as remote URLs),
which would be normally disallowed by the callback function(s). (CVE-2009-2841)
From the Red Hat bugzilla:
An off by one memory corruption issue exists in
WebSocketHandshake::readServerHandshake(). This issue is addressed by improved bounds checking. (CVE-2010-1766)
From the Red Hat bugzilla:
A use after free issue exists in WebKit's handling of geolocation events.
Visiting a maliciously crafted website may lead to an unexpected application
termination or arbitrary code execution. This issue is addressed through
improved handing of geolocation events. (CVE-2010-1772)
From the Red Hat bugzilla:
An off by one memory read out of bounds issue exists in WebKit's handling of HTML lists. Visiting a maliciously crafted website may lead to an unexpected application termination or the disclosure of the contents of memory. This issue is addressed through improved bounds checking. (CVE-2010-1773)
|
| Alerts: |
|
Comments (none posted)
scsi-target-utils: denial of service
| Package(s): | scsi-target-utils |
CVE #(s): | CVE-2010-2221
|
| Created: | July 8, 2010 |
Updated: | June 21, 2011 |
| Description: |
From the Red Hat advisory:
Multiple buffer overflow flaws were found in scsi-target-utils' tgtd
daemon. A remote attacker could trigger these flaws by sending a
carefully-crafted Internet Storage Name Service (iSNS) request, causing the
tgtd daemon to crash. (CVE-2010-2221)
|
| Alerts: |
|
Comments (none posted)
w3m: man-in-the-middle attack
| Package(s): | w3m |
CVE #(s): | CVE-2010-2074
|
| Created: | July 9, 2010 |
Updated: | October 19, 2012 |
| Description: |
From the CVE entry:
istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
| Alerts: |
|
Comments (none posted)
znc: denial of service
| Package(s): | znc |
CVE #(s): | CVE-2010-2448
|
| Created: | July 12, 2010 |
Updated: | July 14, 2010 |
| Description: |
From the Debian advisory:
It was discovered that znc, an IRC bouncer, is vulnerable to denial
of service attacks via a NULL pointer dereference when traffic
statistics are requested while there is an unauthenticated connection.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|