By Jonathan Corbet
October 19, 2010
A quick
search
of the CVE database turns up 80 CVE numbers related to kernel
vulnerabilities so far this year. At one recent conference or another,
while talking with a prominent kernel developer, your editor
confessed that he found that number to be discouragingly high. In an era
where there is clearly an increasing level of commercial, criminal, and
governmental interest in exploiting security holes, it would be hard to be doing
enough to avoid the creation of vulnerabilities. But, your editor
wondered, could we be doing more than we are? The response your editor got
was, in essence, that the
bulk of the holes being disclosed were ancient vulnerabilities which were
being discovered by new static analysis tools. In other words, we are
fixing security problems faster than we are creating them.
That sort of claim requires verification; it is also amenable to being
verified by a researcher with sufficient determination and pain
resistance. Your editor decided to give it a try. "All" that would be
required, after all, was to look at each vulnerability and figure out when
it was introduced. How hard could that be?
So, the basic process followed was this: pick a CVE entry, find the patch
which closed the hole, then dig through the repository history and other
resources in an attempt to figure out just when the problem was first
introduced into the kernel. In some cases, the answer was relatively easy
to find; others were sufficiently hard that your editor eventually gave up.
One especially valuable resource in the search turned out to be the Red Hat
bugzilla; the developers there (and Eugene Teo in particular) go out of
their way to document the particulars of vulnerabilities. Sometimes, the
commit which introduced the bug was simply listed there. The "git gui
blame" utility is also quite useful when doing this kind of research.
About 60 of the 80 vulnerabilities listed above were dealt with in this way
before your editor's eyes crossed permanently. The results can be seen in
the following table. Let it be said from the outset that there will
inevitably be some errors in the data below; the most likely mistake will
be assigning blame to a commit which actually just moved the vulnerability
from somewhere else. That may lead to a bias that makes vulnerabilities
look more recent than they really are. That said, a best effort has been
made, and things should not be too far off.
Some other notes relevant to the table:
- No attempt was made to find the origin of vulnerabilities which were
present in the initial commit which began the git era during the
2.6.12 development cycle. Anything which was already present then can
certainly be said to be an old bug.
- Some parts of the code have been changed so many times that it can be
truly hard to determine when a vulnerability was introduced; places
where your editor give up are marked as "unknown" above. One could
maybe come up with a real answer by bisecting and trying exploits, but
your editor's dedication to the task was not quite that strong.
- A couple of these bugs are old in a different way - CVE-2010-1188
was fixed in 2008, but was only understood to be a security issue in
2010. Anybody running a current kernel would not be vulnerable, but
bugs like this can be nicely preserved in enterprise kernels for many
years.
Looking at when the vulnerabilities were introduced yields a chart like
this:
![[Kernel vulnerabilities]](/images/2010/kernel-vulnerabilities.png)
So, in a sense, the above-mentioned kernel hacker was correct - an awful
lot of the vulnerabilities fixed over the last year predate the git era,
and are thus over five years
old. It seems that security bugs can lurk in the kernel for a very long
time before somebody stumbles across them - or, at least, before somebody
reports them.
According to the information above, we have fixed dozens of vulnerabilities
since 2.6.33 without introducing any. The latter
part of that claim might be charitably described as being unlikely to stand
the test of time. There were (at least) 13 vulnerabilities fixed in the
2.6.35 cycle, 21 in the 2.6.36 cycle. We can hope that fewer
vulnerabilities were added in that time; it seems certain, though, that
(1) the number of vulnerabilities added will not be zero, and
(2) it will probably take us five years or more to find many of
them.
There may be some comfort in knowing that a large proportion of 2010's known
security vulnerabilities are not a product of 2010's development. Indeed,
assuming that a fair number of the old vulnerabilities are a bit older yet,
one can also claim that they are not a product of the "new" kernel
development model adopted in the early 2.6 days. That claim
could be tested by extending this research back into the BitKeeper era;
that is a task for a future project.
Your editor remains concerned, though, that it is too easy to put
insecure code into the kernel and too hard to discover the vulnerabilities
that are created. Analysis tools can help, but there really is no
substitute for painstaking and meticulous code review when it comes to
keeping vulnerabilities out of the kernel. At times, it is clear that the
amount of review being done is not what it should be.
There may well come a day when we'll wish we had found a
way to be a bit more careful.
Comments (36 posted)
Brief items
PinDr0p exploits artifacts left on call audio by the voice networks
themselves. For example, VoIP calls tend to experience packet
loss-split-second interruptions in audio that are too small for the human
ear to detect. Likewise, cellular and public switched telephone networks
(PTSNs) leave a distinctive type of noise on calls that pass through
them. Phone calls today often pass through multiple VoIP, cellular and PTSN
networks, and call data is either not transferred or transferred without
verification across the networks.Using the call audio, PinDr0p employs a
series of algorithms to detect and analyze call artifacts, then determines
a call's provenance (the path it takes to get to a recipient's phone) with
at least 90 percent accuracy and, given enough comparative information,
even 100 percent accuracy.
--
Georgia
Tech reports on recent research
The recent
CVE-2010-2961
mountall vulnerability got a nice
write-up by xorl today. I've seen a few public exploits for it, but those that I've seen, including the one in xorl's post, miss a rather important point: udev events can be triggered by regular users without any hardware fiddling. While the bug that kept udev from running inotify correctly on the
/dev/.udev/rules.d directory during initial boot kept this vulnerability exposure pretty well minimized, the fact that udev events can be triggered at will made it pretty bad too. If udev had already been restarted, an attacker didn't have to wait at all, nor have physical access to the system.
While it is generally understood that udev events are related to hardware,
it's important to keep in mind that it also sends events on module loads,
and module loads can happen on demand from unprivileged users. For example,
say you want to send an X.25 packet, when you call socket(AF_X25,
SOCK_STREAM), the kernel will go load net-pf-9, which modules.alias lists
as the x25 module. And once loaded, udev sends a "module" event.
--
Kees
Cook with a useful reminder
Comments (none posted)
TaintDroid is an Android firmware
modification which can track and report on application activity; needless
to say, the results with some applications can be surprising.
The code is now available for
anybody wanting to build their own TaintDroid system. For the time being,
though, installing it does not appear to be a simple or straightforward
task.
Comments (3 posted)
There is a local-root kernel vulnerability
in the RDS protocol implementation. See this VSR
advisory for more information. So far, only Ubuntu has issued an
update for this problem.
Tavis Ormandy has reported
a flaw in GNU libc that can be exploited by local users to gain root
privileges. No distributions (other than the soon-to-be-released Fedora
14) have put out an update as yet.
Comments (11 posted)
New vulnerabilities
ardour: insecure library loading
| Package(s): | ardour |
CVE #(s): | CVE-2010-3349
|
| Created: | October 15, 2010 |
Updated: | October 20, 2010 |
| Description: |
From the Red Hat bugzilla:
The vulnerability is due to an insecure change to LD_LIBRARY_PATH, an
environment variable used by ld.so(8) to look for libraries in directories
other than the standard paths. When there is an empty item in the
colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a
'.' (current working directory). If the given script is executed from a
directory where a local attacker could write files, there is a chance for
exploitation.
|
| Alerts: |
|
Comments (none posted)
gnome-subtitles: code execution
| Package(s): | gnome-subtitles |
CVE #(s): | CVE-2010-3357
|
| Created: | October 14, 2010 |
Updated: | October 20, 2010 |
| Description: |
From the Red Hat bugzilla entry:
The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and
environment variable used by ld.so(8) to look for libraries in directories
other than the standard paths. When there is an empty item in the
colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a
'.' (current working directory). If the given script is executed from a
directory where a local attacker could write files, there is a chance for
exploitation.
|
| Alerts: |
|
Comments (none posted)
java-1.6.0-openjdk: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk |
CVE #(s): | CVE-2010-3541
CVE-2010-3548
CVE-2010-3549
CVE-2010-3551
CVE-2010-3553
CVE-2010-3554
CVE-2010-3557
CVE-2010-3561
CVE-2010-3562
CVE-2010-3564
CVE-2010-3565
CVE-2010-3567
CVE-2010-3568
CVE-2010-3569
CVE-2010-3573
CVE-2010-3574
CVE-2010-3566
|
| Created: | October 14, 2010 |
Updated: | May 3, 2011 |
| Description: |
From the Red Hat advisory:
defaultReadObject of the Serialization API could be tricked into setting a
volatile field multiple times, which could allow a remote attacker to
execute arbitrary code with the privileges of the user running the applet
or application. (CVE-2010-3569)
Race condition in the way objects were deserialized could allow an
untrusted applet or application to misuse the privileges of the user
running the applet or application. (CVE-2010-3568)
Miscalculation in the OpenType font rendering implementation caused
out-of-bounds memory access, which could allow remote attackers to execute
code with the privileges of the user running the java process.
(CVE-2010-3567)
JPEGImageWriter.writeImage in the imageio API improperly checked certain
image metadata, which could allow a remote attacker to execute arbitrary
code in the context of the user running the applet or application.
(CVE-2010-3565)
Double free in IndexColorModel could cause an untrusted applet or
application to crash or, possibly, execute arbitrary code with the
privileges of the user running the applet or application. (CVE-2010-3562)
The privileged accept method of the ServerSocket class in the Common Object
Request Broker Architecture (CORBA) implementation in OpenJDK allowed it to
receive connections from any host, instead of just the host of the current
connection. An attacker could use this flaw to bypass restrictions defined
by network permissions. (CVE-2010-3561)
Flaws in the Swing library could allow an untrusted application to modify
the behavior and state of certain JDK classes. (CVE-2010-3557)
Flaws in the CORBA implementation could allow an attacker to execute
arbitrary code by misusing permissions granted to certain system objects.
(CVE-2010-3554)
UIDefault.ProxyLazyValue had unsafe reflection usage, allowing untrusted
callers to create objects via ProxyLazyValue values. (CVE-2010-3553)
HttpURLConnection improperly handled the "chunked" transfer encoding
method, which could allow remote attackers to conduct HTTP response
splitting attacks. (CVE-2010-3549)
HttpURLConnection improperly checked whether the calling code was granted
the "allowHttpTrace" permission, allowing untrusted code to create HTTP
TRACE requests. (CVE-2010-3574)
HttpURLConnection did not validate request headers set by applets, which
could allow remote attackers to trigger actions otherwise restricted to
HTTP clients. (CVE-2010-3541, CVE-2010-3573)
The Kerberos implementation improperly checked the sanity of AP-REQ
requests, which could cause a denial of service condition in the receiving
Java Virtual Machine. (CVE-2010-3564)
The NetworkInterface class improperly checked the network "connect"
permissions for local network addresses, which could allow remote attackers
to read local network addresses. (CVE-2010-3551)
Information leak flaw in the Java Naming and Directory Interface (JNDI)
could allow a remote attacker to access information about
otherwise-protected internal network names. (CVE-2010-3548)
|
| Alerts: |
|
Comments (none posted)
java-1.6.0-sun: multiple unspecified vulnerabilities
| Package(s): | java-1.6.0-sun |
CVE #(s): | CVE-2010-3550
CVE-2010-3552
CVE-2010-3555
CVE-2010-3556
CVE-2010-3558
CVE-2010-3559
CVE-2010-3560
CVE-2010-3563
CVE-2010-3570
CVE-2010-3571
CVE-2010-3572
|
| Created: | October 14, 2010 |
Updated: | March 22, 2011 |
| Description: |
From the Red Hat advisory:
CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component
CVE-2010-3552 JDK unspecified vulnerability in New Java Plugin component
CVE-2010-3555 JDK unspecified vulnerability in Deployment component
CVE-2010-3556 JDK unspecified vulnerability in 2D component
CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component
CVE-2010-3559 JDK unspecified vulnerability in Sound component
CVE-2010-3560 JDK unspecified vulnerability in Networking component
CVE-2010-3563 JDK unspecified vulnerability in Deployment component
CVE-2010-3570 JDK unspecified vulnerability in Deployment Toolkit
CVE-2010-3571 JDK unspecified vulnerability in 2D component
CVE-2010-3572 JDK unspecified vulnerability in Sound component
|
| Alerts: |
|
Comments (none posted)
kernel: information leak
| Package(s): | kernel |
CVE #(s): | CVE-2010-3477
|
| Created: | October 20, 2010 |
Updated: | March 28, 2011 |
| Description: |
The kernel's networking code fails to fully initialize a structure which is then passed back to user space, thus leaking a few bytes of data. |
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2010-2963
|
| Created: | October 20, 2010 |
Updated: | May 10, 2011 |
| Description: |
A failure to properly validate parameters in the Video4Linux1 compatibility interface can enable a local user to obtain root privileges. This vulnerability apparently only affects 64-bit systems. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-3432
|
| Created: | October 20, 2010 |
Updated: | March 28, 2011 |
| Description: |
The SCTP networking code fails to properly handle the appending of packet chunks, leading to a remotely-triggerable system crash (at least). |
| Alerts: |
|
Comments (none posted)
kernel: information leak
| Package(s): | kernel |
CVE #(s): | CVE-2010-3437
|
| Created: | October 20, 2010 |
Updated: | April 21, 2011 |
| Description: |
The CD driver fails to check parameters properly, allowing a local attacker to read arbitrary kernel memory. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-3442
|
| Created: | October 20, 2010 |
Updated: | March 28, 2011 |
| Description: |
The sound subsystem fails to properly validate system call parameters, enabling local attackers to crash the system (at least). Only 32-bit systems are affected by this bug. |
| Alerts: |
|
Comments (none posted)
kernel: remote denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-3705
|
| Created: | October 20, 2010 |
Updated: | April 28, 2011 |
| Description: |
The SCTP networking code does not properly handle HMAC calculations, enabling a remote attacker to crash the system (or worse) through specially-crafted traffic. |
| Alerts: |
|
Comments (none posted)
kernel: local privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2010-3904
|
| Created: | October 20, 2010 |
Updated: | May 10, 2011 |
| Description: |
The RDS network protocol fails to validate user-space addresses, allowing a local attacker to write arbitrary values into kernel memory. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
Mozilla products: multiple vulnerabilities
Comments (none posted)
MRG Messaging: multiple vulnerabilities
| Package(s): | MRG Messaging |
CVE #(s): | CVE-2009-5005
CVE-2009-5006
|
| Created: | October 14, 2010 |
Updated: | October 20, 2010 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way Apache Qpid handled the receipt of invalid AMQP
data. A remote user could send invalid AMQP data to the server, causing it
to crash, resulting in the cluster shutting down. (CVE-2009-5005)
A flaw was found in the way Apache Qpid handled a request to redeclare an
existing exchange while adding a new alternate exchange. If a remote,
authenticated user issued such a request, the server would crash, resulting
in the cluster shutting down. (CVE-2009-5006)
|
| Alerts: |
|
Comments (none posted)
opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | |
| Created: | October 15, 2010 |
Updated: | October 20, 2010 |
| Description: |
Opera 10.63 is a recommended upgrade offering security and stability enhancements. See the Opera release notes for details. |
| Alerts: |
|
Comments (none posted)
php-pear-CAS: multiple vulnerabilities
| Package(s): | php-pear-CAS |
CVE #(s): | CVE-2010-3690
CVE-2010-3691
CVE-2010-3692
|
| Created: | October 19, 2010 |
Updated: | February 23, 2011 |
| Description: |
From the CVE entries:
Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls. (CVE-2010-3690)
PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file. (CVE-2010-3691)
Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter. (CVE-2010-3692) |
| Alerts: |
|
Comments (none posted)
poppler: memory corruption
| Package(s): | poppler |
CVE #(s): | CVE-2010-3703
|
| Created: | October 19, 2010 |
Updated: | December 24, 2010 |
| Description: |
From the Red Hat bugzilla:
poppler git commit bf2055088a corrects a possible use of an uninitialized
pointer in PostScriptFunction, which can cause crash or memory corruption.
|
| Alerts: |
|
Comments (none posted)
typo3: multiple vulnerabilities
| Package(s): | typo3 |
CVE #(s): | CVE-2010-3714
CVE-2010-3715
CVE-2010-3716
CVE-2010-3717
|
| Created: | October 20, 2010 |
Updated: | October 20, 2010 |
| Description: |
The typo3 content management system suffers from multiple vulnerabilities, including remote file disclosure (CVE-2010-3714), cross-site scripting (CVE-2010-3715), privilege escalation (CVE-2010-3716), and denial of service (CVE-2010-3717). |
| Alerts: |
|
Comments (none posted)
webkitgtk: multiple vulnerabilities
| Package(s): | webkitgtk |
CVE #(s): | CVE-2010-3113
CVE-2010-1814
CVE-2010-1812
CVE-2010-1815
CVE-2010-3115
CVE-2010-1807
CVE-2010-3114
CVE-2010-3116
CVE-2010-3257
CVE-2010-3259
|
| Created: | October 19, 2010 |
Updated: | March 2, 2011 |
| Description: |
From the Fedora advisory:
Bug #628032 - CVE-2010-3113 webkit: memory corruption when handling SVG documents
Bug #631946 - CVE-2010-1814 webkit: memory corruption flaw when handling form menus
Bug #631939 - CVE-2010-1812 webkit: use-after-free flaw in handling of selections
Bug #631948 - CVE-2010-1815 webkit: use-after-free flaw when handling scrollbars
Bug #628071 - CVE-2010-3115 webkit: address bar spoofing with history bug
Bug #627703 - CVE-2010-1807 webkit: input validation error when parsing certain NaN values
Bug #628035 - CVE-2010-3114 webkit: bad cast with text editing
Bug #640353 - CVE-2010-3116 webkit: memory corruption with MIME types
Bug #640357 - CVE-2010-3257 webkit: stale pointer issue with focusing
Bug #640360 - CVE-2010-3259 webkit: cross-origin image theft
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
