LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Default "secrets"

By Jake Edge
January 5, 2011

One of the simplest principles of cryptography is that the secret keys which are used for encryption must be kept, well, secret. Exposing the key to anyone other than the intended recipient of the message can pretty obviously lead to a compromise of the encrypted data. So, for example, hardcoding a secret key into a firmware image is unlikely to lead to secure communications using that key. Unfortunately, networking device makers—and the creators of free software firmware replacements for those devices—seem to have missed, or ignored, this basic principle.

The problem stems from the SSL keys that are installed into the firmware images for the devices. In many cases, those keys—including the supposedly private key—are generated when the image is built and then flashed into hundreds or thousands of different devices. If one can get access to the private SSL key, traffic encrypted with it (which might include HTTPS or VPN traffic) can be trivially decrypted. As the announcement of the LittleBlackBox project describes, it is, unfortunately, rather easy to obtain said keys; in fact the project provides a database of thousands of private keys indexed by their public key.

In practical terms, that means an attacker can access a vulnerable SSL-protected web site, retrieve the public key certificate, look up the corresponding private key, and decrypt any traffic that is sent or received by the web site. An attacker could also do a man-in-the-middle attack by pretending to be the site in question, as there would be no way to determine that the spoofer wasn't the real site. In order to do either of those things, though, the attacker must get access to the encrypted data stream.

Open, or weakly secured, wireless networks are the easiest way for an attacker to get that access—or to become a man in the middle. As the concerns over Firesheep have shown, there is still a lot of traffic that travels unencrypted over wireless networks. Ironically, HTTPS is touted as a solution to that problem, but that only works if the private keys are kept secret. For the web applications targeted by Firesheep, that is not likely to be a problem, as their private keys were presumably generated individually and kept safe. But for others who might be using wireless networks to configure their routers—or connect to another network via VPN—it could be a much bigger problem.

While reconfiguring your router from the local coffee shop may be a pretty rare event, even having the HTTPS-enabled web server available over the internet gives an attacker the ability to retrieve the public key, which can then be looked up in the LittleBlackBox database. If that SSL key is used for other things like VPN—something that might well be used at an open WiFi hotspot—that traffic is at risk as well. The right solution seems clear: don't supply default "secrets". In some ways, this problem parallels the longstanding, but hopefully improving, situation with default administrative passwords.

Device manufacturers and firmware projects should not be shipping SSL keys and either generate them at "first boot" or provide a way for users to generate and upload their own keys. There are a few different reasons that it isn't always done that way today, from concerns over devices having enough entropy to generate a random key to the amount of time it can take to generate a key on a slow CPU, but those reasons aren't really offset by the damage that could be done. Users who enable HTTPS access to their devices do so with the idea that it will be more secure, and can be used in places where unencrypted communication doesn't make sense.

There are also hurdles to overcome in either creating a key for each device (and/or firmware image) or providing instructions for users but, once again, that really doesn't help users that are relying on the device for secure communications. While some in the DD-WRT community don't see it as a big problem it is likely more serious than they are crediting. It would make far more sense to disable HTTPS access entirely—perhaps requiring a manual process to generate keys and enable that access—than it does to provide well-known keys.

While the problem highlighted by LittleBlackBox isn't earth-shattering, it does show the sometimes cavalier attitude towards security that is shown by some in the embedded device arena. When you are selling (or providing) a device or firmware that is meant to secure someone's network, it makes sense to proceed carefully. And to keep secrets, secret.

Comments (33 posted)

Brief items

Security quotes of the week

The bankers also fret that "future research, which may potentially be more damaging, may also be published in this level of detail". Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that's been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!
-- Ross Anderson after a bankers' trade association tried to quash some Chip-and-PIN research

Of course, in addition to the "green" advantages of this technology, there are privacy implications. Even without your consent, the electric company and the water company are permitted to continuously measure your use of electricity and water; taken to the extreme, this monitoring alone could tell them exactly when you use each and every device in your house.
-- Andrew Appel on research that can identify the signatures of electronic and water-based (e.g. sink, toilet) devices

Did you notice that? A two-terabyte rainbow table. A few years ago, that kind of storage was largely theoretical. Now it's both cheap and portable.
-- Bruce Schneier on GSM decryption

Comments (none posted)

Breaking GSM With a $15 Phone … Plus Smarts (Wired)

Wired's Threat Level blog looks at a GSM cellphone eavesdropping demonstration made at the recent Chaos Computer Club Congress in Berlin. "As part of this background communication, GSM networks send out strings of identifying information, as well as essentially empty "Are you there?" messages. Empty space in these messages is filled with buffer bytes. Although a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard. [...] This allows the researchers to predict with a high degree of probability the plain-text content of these encrypted system messages. This, combined with a two-terabyte table of precomputed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session’s encryption in about 20 seconds."

Comments (none posted)

Bareil: Linux Security, one year later...

Nicolas Bareil looks at GNU/Linux security in 2010. "Bug #1: Disabling frontier: The kernel has to validate each user-provided pointer to check if it is coming from user or kernel space. This is done by access_ok() with a simple comparison of the address against a limit (XXX). Sometimes, the kernel needs to use function which are normally designed to be called by userspace, and as such, theses functions checks the provenance of the pointer... which is embarrassing because the kernel only provides kernel pointers. So the kernel goes evil and cheats by manipulating the boundary via set_fs() in order to make access_ok() always successful. At this moment and until the kernel undoes its boundary manipulation, there is no protection against NULL pointer dereference attack." (Thanks to Patrick Guignot)

Comments (none posted)

Spengler: False Boundaries and Arbitrary Code Execution

Brad Spengler has posted a review of Linux capabilities and how they can be leveraged for full root privileges on the grsecurity blog. In short, 20 of the 35 capabilities bits allow actions that can result in root privileges from an exploitable program. "As mentioned earlier, there are 35 capabilities currently implemented. I'll now discuss each capability that is effectively equal to root and a rough description of how each transition is made. I will try to make a distinction between cases that are generally applicable and those that are situational. Since we've already established that real uid 0 is equivalent to having full capabilities on any normal system, I'll assume we're a non-root user with only the mentioned capability raised." (Thanks to Dan Carpenter.)

Comments (45 posted)

New vulnerabilities

dbus: denial of service

Package(s):dbus CVE #(s):CVE-2010-4352
Created:December 27, 2010 Updated:May 3, 2011
Description: From the Red Hat bugzilla:

A stack overflow flaw was found in the way the D-BUS message bus service / messaging facility validated messages with excessive number of nested variants. A local, authenticated user could use this flaw to cause dbus daemon to crash (denial of service) via a specially-crafted message sent to the system bus.

Alerts:
Gentoo 201110-14 2011-10-21
CentOS CESA-2011:0376 2011-04-14
Fedora FEDORA-2010-19178 2010-12-22
SUSE SUSE-SR:2011:008 2011-05-03
Red Hat RHSA-2011:0376-01 2011-03-22
openSUSE openSUSE-SU-2011:0401-1 2011-04-28
SUSE SUSE-SR:2011:004 2011-02-22
Pardus 2011-30 2011-02-12
Ubuntu USN-1044-1 2011-01-18
Debian DSA-2149-1 2011-01-20
Fedora FEDORA-2010-19166 2010-12-21
openSUSE openSUSE-SU-2012:1418-1 2012-10-31

Comments (none posted)

drupal-views: cross-site scripting

Package(s):drupal-views CVE #(s):
Created:January 4, 2011 Updated:January 5, 2011
Description: From the Drupal advisory:

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting (XSS) vulnerability. An attacker could exploit this to gain full administrative access.

Alerts:
Fedora FEDORA-2010-18927 2010-12-17
Fedora FEDORA-2010-19009 2010-12-17

Comments (none posted)

eclipse: cross-site scripting

Package(s):eclipse CVE #(s):CVE-2010-4647
Created:December 27, 2010 Updated:May 19, 2011
Description: From the Red Hat bugzilla:

It was reported that the Eclipse Help Contents were vulnerable to Cross Site Scripting vulnerabilities in the /help/index.jsp and /help/advanced/content.jsp URLs that are served by the built-in Jetty Web Server plugin.

Alerts:
Mandriva MDVSA-2011:032 2011-02-20
Red Hat RHSA-2011:0568-01 2011-05-19
Fedora FEDORA-2010-18990 2010-12-17
Fedora FEDORA-2010-19006 2010-12-17

Comments (none posted)

evince: arbitrary code execution

Package(s):evince CVE #(s):CVE-2010-2640 CVE-2010-2641 CVE-2010-2642 CVE-2010-2643
Created:January 5, 2011 Updated:January 30, 2012
Description: From the Ubuntu advisory:

Jon Larimer discovered that Evince's font parsers incorrectly handled certain buffer lengths when rendering a DVI file. By tricking a user into opening or previewing a DVI file that uses a specially crafted font file, an attacker could crash evince or execute arbitrary code with the user's privileges.

Alerts:
Debian DSA-2357-1 2011-12-03
Gentoo 201111-10 2011-11-20
SUSE SUSE-SR:2011:005 2011-04-01
openSUSE openSUSE-SU-2011:0140-1 2011-02-28
SUSE SUSE-SR:2011:002 2011-01-25
Mandriva MDVSA-2011:016 2011-01-21
Fedora FEDORA-2011-0224 2011-01-07
Fedora FEDORA-2011-0208 2011-01-07
Red Hat RHSA-2011:0009-01 2011-01-06
Ubuntu USN-1035-1 2011-01-05
Mandriva MDVSA-2011:017 2011-01-21
openSUSE openSUSE-SU-2011:0045-1 2011-01-19
Mandriva MDVSA-2011:005 2011-01-13
Debian DSA-2388-1 2012-01-14
Ubuntu USN-1335-1 2012-01-19
Oracle ELSA-2012-0062 2012-01-25
Red Hat RHSA-2012:0062-01 2012-01-24
Scientific Linux SL-t1li-20120125 2012-01-25
Fedora FEDORA-2012-0289 2012-01-28
Fedora FEDORA-2012-0266 2012-01-28
CentOS CESA-2012:0062 2012-01-30
Red Hat RHSA-2012:0137-01 2012-02-15
Scientific Linux SL-texl-20120215 2012-02-15
CentOS CESA-2012:0137 2012-02-16
Oracle ELSA-2012-0137 2012-02-15
Slackware SSA:2012-228-01 2012-08-15
Red Hat RHSA-2012:1201-01 2012-08-23
CentOS CESA-2012:1201 2012-08-23
Oracle ELSA-2012-1201 2012-08-23
Scientific Linux SL-tete-20120823 2012-08-23
Mandriva MDVSA-2012:144 2012-08-28

Comments (none posted)

gif2png: arbitrary code execution

Package(s):gif2png CVE #(s):CVE-2009-5018
Created:January 5, 2011 Updated:January 17, 2011
Description: From the Gentoo advisory:

gif2png contains a command line parsing vulnerability that may result in a stack overflow due to an unexpectedly long input filename.

A remote attacker could entice a user to open a specially crafted image, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Note that applications relying on gif2png to process images can also trigger the vulnerability.

Alerts:
Gentoo 201101-01 2011-01-05
Mandriva MDVSA-2011:009 2011-01-14

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2010-4347 CVE-2010-4258 CVE-2010-4165 CVE-2010-4175 CVE-2010-4163
Created:January 3, 2011 Updated:August 9, 2011
Description: From the openSUSE advisory:

CVE-2010-4347: A local user could inject ACPI code into the kernel via the world-writable "custom_debug" file, allowing local privilege escalation.

CVE-2010-4258: A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. This could lead to privilege escalation together with other issues.

CVE-2010-4165: The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel did not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer.

CVE-2010-4175: A local attacker could cause memory overruns in the RDS protocol stack, potentially crashing the kernel. So far it is considered not to be exploitable.

CVE-2010-4163: By submitting certain I/O requests with 0 length, a local user could have caused a kernel panic.

Alerts:
Ubuntu USN-1204-1 2011-09-13
Ubuntu USN-1202-1 2011-09-13
Ubuntu USN-1187-1 2011-08-09
Ubuntu USN-1186-1 2011-08-09
Ubuntu USN-1167-1 2011-07-13
Ubuntu USN-1164-1 2011-07-06
SUSE SUSE-SA:2011:017 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 2011-04-18
Ubuntu USN-1105-1 2011-04-05
Ubuntu USN-1111-1 2011-05-05
Ubuntu USN-1093-1 2011-03-25
Ubuntu USN-1092-1 2011-03-25
SUSE SUSE-SA:2011:015 2011-03-24
Ubuntu USN-1090-1 2011-03-18
Ubuntu USN-1089-1 2011-03-18
Mandriva MDVSA-2011:051 2011-03-18
Red Hat RHSA-2011:0330-01 2011-03-10
Ubuntu USN-1086-1 2011-03-08
Fedora FEDORA-2011-2134 2011-02-24
Ubuntu USN-1119-1 2011-04-20
SUSE SUSE-SA:2011:012 2011-03-08
Ubuntu USN-1083-1 2011-03-03
Ubuntu USN-1074-2 2011-02-28
Ubuntu USN-1074-1 2011-02-25
Ubuntu USN-1073-1 2011-02-25
Red Hat RHSA-2011:0283-01 2011-02-22
Mandriva MDVSA-2011:029 2011-02-17
SUSE SUSE-SA:2011:008 2011-02-11
Fedora FEDORA-2011-1138 2011-02-07
openSUSE openSUSE-SU-2011:0399-1 2011-04-28
SUSE SUSE-SA:2011:007 2011-02-07
Ubuntu USN-1054-1 2011-02-01
Debian DSA-2153-1 2011-01-30
CentOS CESA-2011:0162 2011-01-27
Red Hat RHSA-2011:0162-01 2011-01-18
SUSE SUSE-SA:2011:004 2011-01-14
Red Hat RHSA-2011:0007-01 2011-01-11
SUSE SUSE-SA:2011:005 2011-01-25
openSUSE openSUSE-SU-2011:0048-1 2011-01-19
openSUSE openSUSE-SU-2011:0003-1 2011-01-03
openSUSE openSUSE-SU-2011:0004-1 2011-01-03
Red Hat RHSA-2011:0017-01 2011-01-13
openSUSE openSUSE-SU-2013:0927-1 2013-06-10

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2010-3699 CVE-2010-4161 CVE-2010-4242 CVE-2010-4247
Created:January 4, 2011 Updated:July 15, 2011
Description: From the Red Hat advisory:

* A flaw was found in the Xenbus code for the unified block-device I/O interface back end. A privileged guest user could use this flaw to cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-3699)

* The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243 introduced a regression. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4161)

* A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4242)

* It was found that a malicious guest running on the Xen hypervisor could place invalid data in the memory that the guest shared with the blkback and blktap back-end drivers, resulting in a denial of service on the host system. (CVE-2010-4247)

Alerts:
Ubuntu USN-1204-1 2011-09-13
Ubuntu USN-1202-1 2011-09-13
Ubuntu USN-1170-1 2011-07-15
SUSE SUSE-SA:2011:017 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 2011-04-18
Ubuntu USN-1105-1 2011-04-05
Ubuntu USN-1092-1 2011-03-25
SUSE SUSE-SA:2011:015 2011-03-24
Ubuntu USN-1089-1 2011-03-18
Red Hat RHSA-2011:0330-01 2011-03-10
SUSE SUSE-SA:2011:012 2011-03-08
Ubuntu USN-1072-1 2011-02-25
SUSE SUSE-SA:2011:008 2011-02-11
openSUSE openSUSE-SU-2011:0399-1 2011-04-28
Debian DSA-2153-1 2011-01-30
CentOS CESA-2011:0162 2011-01-27
SUSE SUSE-SA:2011:005 2011-01-25
Red Hat RHSA-2011:0162-01 2011-01-18
Red Hat RHSA-2011:0007-01 2011-01-11
CentOS CESA-2011:0004 2011-01-06
Red Hat RHSA-2011:0004-01 2011-01-04
openSUSE openSUSE-SU-2013:0927-1 2013-06-10

Comments (none posted)

libwmf: multiple vulnerabilities

Package(s):libwmf CVE #(s):CVE-2007-0455 CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478
Created:January 5, 2011 Updated:January 5, 2011
Description: From the Red Hat advisory:

libwmf embeds an old version of gd (2.0.1beta) which has a number of vulnerabilities associated with it.

CVE-2007-0455 CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478

Cursory inspection of one of the patch diffs shows that no patches have been applied to libwmf.

Alerts:
Fedora FEDORA-2010-19022 2010-12-17
Fedora FEDORA-2010-19033 2010-12-17

Comments (none posted)

libxml2: arbitrary code execution

Package(s):libxml2 CVE #(s):CVE-2010-4494
Created:December 27, 2010 Updated:April 15, 2011
Description: From the Debian advisory:

Yang Dingning discovered a double free in libxml's Xpath processing, which might allow the execution of arbitrary code.

Alerts:
Scientific Linux SL-libx-20111206 2011-12-06
Red Hat RHSA-2011:1749-03 2011-12-06
Gentoo 201110-26 2011-10-26
Fedora FEDORA-2011-2699 2011-03-05
SUSE SUSE-SR:2011:005 2011-04-01
openSUSE openSUSE-SU-2011:0255-1 2011-03-31
Fedora FEDORA-2011-2697 2011-03-05
Mandriva MDVSA-2010:260 2010-12-29
Debian DSA-2137-1 2010-12-26
Red Hat RHSA-2013:0217-01 2013-01-31
CentOS CESA-2013:0217 2013-02-01
Oracle ELSA-2013-0217 2013-02-01
Scientific Linux SL-ming-20130201 2013-02-01

Comments (none posted)

mantis: multiple vulnerabilities

Package(s):mantis CVE #(s):CVE-2010-3763 CVE-2010-4348 CVE-2010-4349 CVE-2010-4350
Created:January 3, 2011 Updated:November 9, 2012
Description: From the Red Hat bugzilla entry:

Cross-site scripting (XSS) vulnerability in core/summary_api.php in MantisBT before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the Summary field, a different vector than CVE-2010-3303. (CVE-2010-3763)

From the Red Hat bugzilla entry:

The MantisBT project was notified by Gjoko Krstic of Zero Science Lab (gjoko@zeroscience.mk) of multiple vulnerabilities affecting MantisBT <1.2.4.

The two following advisories have been released explaining the vulnerabilities in greater detail:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php (CVE-2010-4348, CVE-2010-4349, CVE-2010-4350)

Alerts:
Fedora FEDORA-2010-19070 2010-12-19
Fedora FEDORA-2010-19078 2010-12-19
Gentoo 201211-01 2012-11-08

Comments (none posted)

opensc: arbitrary code execution

Package(s):opensc CVE #(s):CVE-2010-4523
Created:January 4, 2011 Updated:January 25, 2011
Description: From the Red Hat bugzilla:

Three stack-based buffer overflow flaws were found in the way OpenSC device drivers for A-Trust ACOS, ACS ACOS5 and STARCOS SPK 2.3 based smart cards processed certain values of card serial number. A local attacker could use this flaw to execute arbitrary code, with the privileges of the user running the opesc-tool or opensc-explorer binaries via a malicious smart card, with specially-crafted value of its serial number, inserted to the system.

Alerts:
SUSE SUSE-SR:2011:002 2011-01-25
Mandriva MDVSA-2011:011 2011-01-15
openSUSE openSUSE-SU-2011:0049-1 2011-01-19
Fedora FEDORA-2010-19193 2010-12-22
Fedora FEDORA-2010-19192 2010-12-22

Comments (none posted)

perl-IO-Socket-SSL: denial of service

Package(s):perl-IO-Socket-SSL CVE #(s):CVE-2010-4334
Created:December 27, 2010 Updated:May 18, 2011
Description: From the Red Hat bugzilla:

A Debian bug report indicated that using the IO::Socket::SSL perl module, if the verify_mode were set to 0x03 (verify peer, fail verification if no peer certificate exists), that the requests were removed unless either the ca_file or ca_path were supplied. This means that IO::Socket::SSL "fails open" if the user forgets to supply information about an acceptable set of trusted CAs, rather than "failing closed" (denying access by default, rather than allowing it).

Alerts:
Mandriva MDVSA-2011:092 2011-05-18
Fedora FEDORA-2010-19054 2010-12-18
Fedora FEDORA-2010-19058 2010-12-18

Comments (none posted)

phpmyadmin: multiple vulnerabilities

Package(s):phpmyadmin CVE #(s):CVE-2010-4480 CVE-2010-4481
Created:December 31, 2010 Updated:March 30, 2011
Description: From the Debian advisory:

Cross site scripting was possible in errors, that allowed a remote attacker to inject arbitrary web script or HTML. (CVE-2010-4480)

Display of PHP's phpinfo() function was available to world, but only if this functionality had been enabled (defaults to off). This may leak some information about the host system. (CVE-2010-4481)

Alerts:
Fedora FEDORA-2011-3737 2011-03-21
Fedora FEDORA-2011-3733 2011-03-21
Pardus 2011-19 2011-01-31
Mandriva MDVSA-2011:000 2011-01-05
Debian DSA-2139-1 2010-12-31

Comments (none posted)

wordpress: SQL injection

Package(s):wordpress CVE #(s):CVE-2010-4257
Created:December 29, 2010 Updated:January 10, 2011
Description:

From the Debian advisory:

Vladimir Kolesnikov discovered a SQL injection vulnerability in wordpress, a weblog manager. An authenticated users could execute arbitrary SQL commands via the Send Trackbacks field.

Alerts:
Fedora FEDORA-2010-19330 2010-12-31
Fedora FEDORA-2010-19329 2010-12-31
Fedora FEDORA-2010-19290 2010-12-29
Fedora FEDORA-2010-19296 2010-12-29
Debian DSA-2138-1 2010-12-29

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds