LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

The future of vendor-sec

By Jake Edge
March 9, 2011

There is a certain amount of irony in the news that the vendor-sec mailing list—along with the server that distributes it—was compromised. Vendor-sec is the closed mailing list that is used by developers of Linux distributions along with members of the BSD development community ("vendors" by some definition) to discuss security problems before they are made public. So a compromise of the mailing list could easily lead to security issues made "public" well before fixes were available—an attacker's dream scenario.

How exactly the server was compromised is not clear, but a short time after the announcement of the server compromise and closing the backdoor that was being used, the attacker returned. Vendor-sec moderator Marcus Meissner reported some five hours later that "the attacker read this [the announcement] and reentered the lst.de machine, went amok and destroyed the machine's installation. The machine has now been shutdown.". The break-in was noticed a week or so before the announcement, which seems like somewhat tardy notice to those who might be posting to vendor-sec, but, worse yet, the best guess for when the original break-in occurred is January 20—more than a month earlier.

During that time—possibly longer—the attacker could have been reading the "secret" traffic on the list. Vendor-sec is nominally used to coordinate response between the participants, and to embargo information about the vulnerabilities until all are ready with a fix. Obviously, an embargo is not likely to be observed by an attacker. But it's certainly not at all clear that vendor-sec was leakproof prior to the break-in.

According to Meissner's announcement, there are 80-100 people signed up for vendor-sec, so expecting that there are no leaks may be overly optimistic. Even if all of the participants maintain the secrecy, though, the messages were sent in the clear so they could be intercepted along the way, dug out of inboxes by system administrators, or snagged from unattended mail clients. Since at least January 20, of course, someone didn't even need to do any of those, which started Meissner thinking about whether a closed list like vendor-sec is even really needed any more, and if it is, what changes might need to be made. So he threw that out for discussion.

The consensus seems to be that there is value in the closed list, but that leaks should probably be expected—hopefully not from attackers, but via list members by mistake, inattention, or, possibly, malfeasance. Meissner has asked Alexander Peslyak (aka Solar Designer), who runs the oss-security list and is the leader of the Openwall Linux distribution, to take over vendor-sec, and part of that might mean that the messages start being encrypted with GPG. That would stop some of the potential leak sources, but obviously not all. But there were also questions about whether the list should be split up and, if so, how.

Solar Designer suggested splitting the list up into three different lists, one each for Linux, BSD, and security researchers. The idea would be that subscribers would get less mail that isn't relevant to their interest area, but others thought that was unnecessarily complicating things. As Eugene Teo put it: "I think it is more effective to have just one mailing list like before that everyone can remember."

There is discussion of having oCERT (Open Source Computer Emergency Response Team) host a vendor-sec-style mailing list. oCERT already has verified contacts that could be used to disseminate non-public security information to various projects as needed. Andrea Barisani, oCERT project coordinator is open to such an arrangement, though it would likely require more team members to handle the workload. It could turn into a lot of additional work as Barisani describes:

This is a simplified approach compared to what we do now, which is contacting project maintainers first, negotiating embargo as well as requesting a patch that we can verify and relay to vendors, spread the patch to affected parties along with embargo information and coordinate disclosure. This is a time-consuming process that worked very well with oCERT because the number of reports was limited, it helped solving complex bugs or vulnerabilities that affected a large number of projects.

I think we can continue to do this for selected cases but it would be hard to scale enough to support this "tailored" approach for every single report if we expand our visibility, additionally I think everyone would favour less extra process as pointed out already.

So far, no real decisions have been made. Some kind of vendor-sec list seems to be useful, but whether it stays a single list, and where and how it will be hosted are up in the air. Even though few are arguing that vendor-sec should go away, there was some interesting data from Mark J. Cox about the trends of reports to vendor-sec. Over time, it would seem that the number of issues being reported first to vendor-sec have dropped significantly.

Cox keeps track of how the Red Hat security team first finds out about vulnerabilities, and the data suggests that the importance of vendor-sec for that purpose is diminishing. In 2008, 69 issues were found first on vendor-sec, but by 2010 that had dropped to 29. According to Cox, 29 represents just 4% of the total number of vulnerabilities fixed. In addition, the severity level of those problems first reported to vendor-sec were not as high as some expected: "Of the flaws we rated impact critical or with a CVSS [Common Vulnerability Scoring System] of 'high', only 4 were from that 29 from vendor-sec."

There may come a time when vendor-sec (or whatever it becomes) is no longer needed, but we seemingly haven't reached that point yet. There are times when coordinating a fix (and establishing a CRD, coordinated release date) is important to protect end-users from severe, non-public vulnerabilities. While "full disclosure" is preferred by some, others are sold on "responsible disclosure"; as long as that's the case, lists like vendor-sec will need to be available to help orchestrate those releases.

Comments (4 posted)

Brief items

Security quotes of the week

It's completely impossible to write a secure application in PHP. Deploying mod_php is the Internet equivalent of a "BIKERS SUCK" bumper sticker, as HBGary found out.
-- Dave Aitel (Thanks to Buck Huppmann.)

So my question is this: how can Debian honestly argue that they take security very seriously? It looks like it takes ages to get something done, which is usually not a big deal when talking about new features, but is definitely a problem when talking about security.
-- Frédéric Buclin

The Freedom Box project will succeed or fail on whether it works "without sysadmin". If only trained sysadmins can figure out how to be free, the society won't be free. It's like the early days of the telephone, when they couldn't figure how to scale up the system without having every third person be a trained "Operator". Make the system operate itself. That's where the biggest amount of technical work needs to go. And not just in software -- though that's a very good start -- but in hardware and in user experience design. When millions can buy it and plug it in without training, then millions can be freed from central servers and central surveillance. Not before.
-- John Gilmore

Comments (7 posted)

An Android security update from Google

Google has posted an advisory on the recent malware distributed through the Android market and how the company is responding. "We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices." It's worth noting that the exploit used known vulnerabilities in older versions of Android; there is little in the advisory about closing those holes before they are exploited.

Comments (15 posted)

Vendor-sec host compromised, shut down

The vendor-sec list is where distributors discuss security problems which have not yet been disclosed to the public. It turns out that the machine which hosts this list was compromised, probably in January, and any subsequent traffic was not as secret as participants may have hoped. Since the announcement, the machine has been totally vandalized by the attacker, and vendor-sec is down. The thread is interesting to read; much of it concerns whether the community still needs a closed list like vendor-sec or not.

Full Story (comments: 4)

New vulnerabilities

dtc: multiple vulnerabilities

Package(s):dtc CVE #(s):CVE-2011-0434 CVE-2011-0435 CVE-2011-0436 CVE-2011-0437
Created:March 3, 2011 Updated:March 9, 2011
Description:

From the Debian advisory:

CVE-2011-0434: The bw_per_moth.php graph contains an SQL injection vulnerability.

CVE-2011-0435: Insufficient checks in bw_per_month.php can lead to bandwidth usage information disclosure.

CVE-2011-0436: After a registration, passwords are sent in cleartext email messages.

CVE-2011-0437: Authenticated users could delete accounts using an obsolete interface which was incorrectly included in the package.

Alerts:
Debian DSA-2179-1 2011-03-02

Comments (none posted)

kernel: privilege escalation

Package(s):linux-ec2 CVE #(s):CVE-2011-1044
Created:March 3, 2011 Updated:August 9, 2011
Description:

From the Ubuntu advisory:

Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2011-1044)

Alerts:
Ubuntu USN-1204-1 2011-09-13
Ubuntu USN-1202-1 2011-09-13
Ubuntu USN-1187-1 2011-08-09
Ubuntu USN-1186-1 2011-08-09
Scientific Linux SL-kern-20110715 2011-07-15
CentOS CESA-2011:0927 2011-07-18
Red Hat RHSA-2011:0927-01 2011-07-15
Ubuntu USN-1167-1 2011-07-13
Ubuntu USN-1093-1 2011-03-25
Red Hat RHSA-2011:0330-01 2011-03-10
Fedora FEDORA-2011-2134 2011-02-24
Ubuntu USN-1080-2 2011-03-02
Red Hat RHSA-2011:0498-01 2011-05-10
SUSE SUSE-SU-2012:1391-1 2012-10-24

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2010-4076 CVE-2010-4650 CVE-2011-0006 CVE-2011-0710 CVE-2011-0711 CVE-2011-0712
Created:March 8, 2011 Updated:August 9, 2011
Description: From the SUSE advisory:

CVE-2010-4076: The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-4650: Fixed a verify_ioctl overflow in "cuse" in the fuse filesystem. The code should only be called by root users though.

CVE-2011-0006: Fixed a LSM bug in IMA (Integrity Measuring Architecture). IMA is not enabled in SUSE kernels, so we were not affected.

CVE-2011-0710: The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel on the s390 platform allowed local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/.

CVE-2011-0711: A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed.

CVE-2011-0712: Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.

Alerts:
Ubuntu USN-1218-1 2011-09-29
Ubuntu USN-1216-1 2011-09-26
Debian DSA-2310-1 2011-09-22
Ubuntu USN-1208-1 2011-09-14
Ubuntu USN-1204-1 2011-09-13
Ubuntu USN-1203-1 2011-09-13
Ubuntu USN-1202-1 2011-09-13
Ubuntu USN-1187-1 2011-08-09
Ubuntu USN-1186-1 2011-08-09
Scientific Linux SL-kern-20110715 2011-07-15
CentOS CESA-2011:0927 2011-07-18
Ubuntu USN-1170-1 2011-07-15
Red Hat RHSA-2011:0927-01 2011-07-15
Ubuntu USN-1167-1 2011-07-13
Ubuntu USN-1159-1 2011-07-13
Ubuntu USN-1162-1 2011-06-29
Ubuntu USN-1164-1 2011-07-06
Ubuntu USN-1183-1 2011-08-03
Ubuntu USN-1160-1 2011-06-28
Debian DSA-2264-1 2011-06-18
Ubuntu USN-1146-1 2011-06-09
Ubuntu USN-1141-1 2011-05-31
Debian DSA-2240-1 2011-05-24
Ubuntu USN-1133-1 2011-05-24
SUSE SUSE-SA:2011:017 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 2011-04-18
CentOS CESA-2011:0429 2011-04-14
Red Hat RHSA-2011:0429-01 2011-04-12
Red Hat RHSA-2011:0421-01 2011-04-07
Ubuntu USN-1105-1 2011-04-05
SUSE SUSE-SA:2011:019 2011-04-28
Ubuntu USN-1093-1 2011-03-25
Ubuntu USN-1092-1 2011-03-25
SUSE SUSE-SA:2011:015 2011-03-24
Ubuntu USN-1090-1 2011-03-18
Ubuntu USN-1089-1 2011-03-18
Red Hat RHSA-2011:0500-01 2011-05-10
openSUSE openSUSE-SU-2011:0416-1 2011-04-29
Ubuntu USN-1086-1 2011-03-08
Fedora FEDORA-2011-2134 2011-02-24
SUSE SUSE-SA:2011:012 2011-03-08
Red Hat RHSA-2011:0498-01 2011-05-10
openSUSE openSUSE-SU-2011:0399-1 2011-04-28
Ubuntu USN-1394-1 2012-03-07

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-0714
Created:March 9, 2011 Updated:March 9, 2011
Description: The kernel's RPC server socket implementation contains a use-after-free flaw which can be exploited to cause a kernel oops.
Alerts:
Red Hat RHSA-2011:0329-01 2011-03-08

Comments (none posted)

libcgroup: multiple vulnerabilities

Package(s):libcgroup CVE #(s):CVE-2011-1006 CVE-2011-1022
Created:March 4, 2011 Updated:May 27, 2011
Description: From the Red Hat advisory:

A heap-based buffer overflow flaw was found in the way libcgroup converted a list of user-provided controllers for a particular task into an array of strings. A local attacker could use this flaw to escalate their privileges via a specially-crafted list of controllers. (CVE-2011-1006)

It was discovered that libcgroup did not properly check the origin of Netlink messages. A local attacker could use this flaw to send crafted Netlink messages to the cgrulesengd daemon, causing it to put processes into one or more existing control groups, based on the attacker's choosing, possibly allowing the particular tasks to run with more resources (memory, CPU, etc.) than originally intended. (CVE-2011-1022)

Alerts:
Fedora FEDORA-2011-2570 2011-03-04
SUSE SUSE-SR:2011:007 2011-04-19
Pardus 2011-64 2011-04-07
openSUSE openSUSE-SU-2011:0316-1 2011-04-08
Fedora FEDORA-2011-2631 2011-03-04
Debian DSA-2193-1 2011-03-16
Red Hat RHSA-2011:0320-01 2011-03-03

Comments (none posted)

libtiff: code execution

Package(s):libtiff CVE #(s):CVE-2011-0192
Created:March 3, 2011 Updated:June 27, 2011
Description:

From the Red Hat advisory:

A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF Internet Fax image files, compressed with the CCITT Group 4 compression algorithm. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. (CVE-2011-0192)

Alerts:
Debian DSA-2210-2 2011-06-25
CentOS CESA-2011:0392 2011-04-14
CentOS CESA-2011:0318 2011-04-14
Slackware SSA:2011-098-01 2011-04-12
Fedora FEDORA-2011-3827 2011-03-22
Debian DSA-2210-1 2011-04-03
SUSE SUSE-SR:2011:005 2011-04-01
CentOS CESA-2011:0392 2011-03-31
SUSE SUSE-SR:2011:009 2011-05-17
Fedora FEDORA-2011-2540 2011-03-03
Mandriva MDVSA-2011:043 2011-03-08
Ubuntu USN-1085-1 2011-03-07
Pardus 2011-55 2011-03-04
CentOS CESA-2011:0318 2011-03-02
Red Hat RHSA-2011:0318-01 2011-03-02
Oracle ELSA-2012-0468 2012-04-12
Gentoo 201209-02 2012-09-23

Comments (none posted)

moin: cross-site scripting

Package(s):moin CVE #(s):CVE-2011-1058
Created:March 7, 2011 Updated:October 10, 2011
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in the reStructuredText (rst) parser in parser/text_rst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some of these details are obtained from third party information.

Alerts:
Debian DSA-2321-1 2011-10-10
Fedora FEDORA-2011-2157 2011-02-25
Fedora FEDORA-2011-2156 2011-02-25
Ubuntu USN-1604-1 2012-10-11
Gentoo 201210-02 2012-10-18

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):moodle CVE #(s):
Created:March 4, 2011 Updated:June 16, 2011
Description: From the Moodle release notes:
  • MSA-11-0002 - Cross-site request forgery vulnerability in RSS block
  • MSA-11-0003 - Cross-site scripting vulnerability in tag autocomplete
  • MSA-11-0008 - IMS enterprise enrollment file may disclose sensitive information
Alerts:
Debian DSA-2262-1 2011-06-15
Fedora FEDORA-2011-2100 2011-02-24
Fedora FEDORA-2011-2101 2011-02-24

Comments (none posted)

proftpd: denial of service

Package(s):proftpd-dfsg proftpd CVE #(s):CVE-2011-1137
Created:March 9, 2011 Updated:April 18, 2011
Description: The proftpd FTP daemon suffers from an integer overflow in its SFTP module, enabling a denial of service attack.
Alerts:
Fedora FEDORA-2011-5033 2011-04-08
Fedora FEDORA-2011-5040 2011-04-08
Slackware SSA:2011-095-01 2011-04-05
Debian DSA-2185-1 2011-03-07

Comments (none posted)

pywebdav: SQL injection

Package(s):pywebdav CVE #(s):CVE-2011-0432
Created:March 3, 2011 Updated:March 10, 2011
Description:

From the Debian advisory:

It was discovered that python-webdav, a WebDAV server implementation, contains several SQL injection vulnerabilities in the processing of user credentials.

Alerts:
Fedora FEDORA-2011-2470 2011-03-02
Fedora FEDORA-2011-2460 2011-03-02
Debian DSA-2177-1 2011-03-02

Comments (none posted)

rubygem-actionpack: cross-site scripting/request forgery

Package(s):rubygem-actionpack CVE #(s):CVE-2011-0446 CVE-2011-0447
Created:March 7, 2011 Updated:September 7, 2011
Description: From the CVE entries:

Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. (CVE-2011-0446)

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. (CVE-2011-0447)

Alerts:
openSUSE openSUSE-SU-2011:1305-1 2011-12-07
Debian DSA-2247-1 2011-05-31
Fedora FEDORA-2011-2138 2011-02-24
Fedora FEDORA-2011-2133 2011-02-24

Comments (none posted)

scsi-target-utils: denial of service

Package(s):scsi-target-utils CVE #(s):CVE-2011-0001
Created:March 9, 2011 Updated:July 12, 2011
Description: The tgtd daemon in the scsi-target-utils package contains a double-free flaw which can be exploited to force a crash.
Alerts:
Fedora FEDORA-2011-8930 2011-07-01
Fedora FEDORA-2011-8890 2011-06-30
Ubuntu USN-1156-1 2011-06-21
CentOS CESA-2011:0332 2011-04-14
Debian DSA-2209-1 2011-04-02
SUSE SUSE-SR:2011:009 2011-05-17
Red Hat RHSA-2011:0332-01 2011-03-09

Comments (none posted)

seamonkey: arbitrary code execution

Package(s):iceape, seamonkey CVE #(s):CVE-2010-0056
Created:March 4, 2011 Updated:March 21, 2011
Description: From the Debian advisory:

Christian Holler discovered buffer overflows in the Javascript engine, which could allow the execution of arbitrary code.

Alerts:
Debian DSA-2186-2 2011-03-18
Debian DSA-2187-1 2011-03-09
Debian DSA-2186-1 2011-03-09
Debian DSA-2180-1 2011-03-03

Comments (none posted)

subversion: denial of service

Package(s):subversion CVE #(s):CVE-2011-0715
Created:March 4, 2011 Updated:June 27, 2011
Description: From the Debian advisory:

Philip Martin discovered that HTTP-based Subversion servers crash when processing lock requests on repositories which support unauthenticated read access.

Alerts:
SUSE SUSE-SU-2011:0691-1 2011-06-27
SUSE SUSE-SU-2011:0692-1 2011-06-27
openSUSE openSUSE-SU-2011:0693-1 2011-06-27
CentOS CESA-2011:0327 2011-04-14
Pardus 2011-66 2011-04-08
Mandriva MDVSA-2011:067 2011-04-06
SUSE SUSE-SR:2011:005 2011-04-01
Ubuntu USN-1096-1 2011-03-29
openSUSE openSUSE-SU-2011:0238-1 2011-03-28
Fedora FEDORA-2011-2657 2011-03-05
Fedora FEDORA-2011-2698 2011-03-05
Slackware SSA:2011-070-01 2011-03-11
Red Hat RHSA-2011:0328-01 2011-03-08
Red Hat RHSA-2011:0327-01 2011-03-08
Debian DSA-2182-1 2011-03-04
Debian DSA-2181-1 2011-03-04

Comments (none posted)

texmacs: privilege escalation

Package(s):TeXmacs CVE #(s):CVE-2010-3394
Created:March 7, 2011 Updated:March 9, 2011
Description: From the CVE entry:

The (1) texmacs and (2) tm_mupad_help scripts in TeXmacs 1.0.7.4 place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.

Alerts:
Fedora FEDORA-2011-2146 2011-02-24
Fedora FEDORA-2011-2127 2011-02-24

Comments (none posted)

tiff: arbitrary code execution

Package(s):libtiff CVE #(s):CVE-2011-0191
Created:March 4, 2011 Updated:June 27, 2011
Description: From the CVE entry:

Buffer overflow in LibTIFF in ImageIO in Apple iTunes before 10.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding.

Alerts:
Debian DSA-2210-2 2011-06-25
Debian DSA-2210-1 2011-04-03
Mandriva MDVSA-2011:064 2011-04-04
SUSE SUSE-SR:2011:005 2011-04-01
openSUSE openSUSE-SU-2011:0399-1 2011-04-28
Ubuntu USN-1085-2 2011-03-15
Ubuntu USN-1085-1 2011-03-07
Pardus 2011-55 2011-03-04

Comments (none posted)

wireshark: multiple DOS vulnerabilities

Package(s):wireshark CVE #(s):CVE-2011-1139 CVE-2011-1140 CVE-2011-1141 CVE-2011-1142
Created:March 9, 2011 Updated:April 19, 2011
Description: Wireshark suffers from denial-of-service vulnerabilities in its SMB, LDAP, and BER dissectors, and one which exploitable via a crafted pcap capture file.
Alerts:
Gentoo 201110-02 2011-10-09
SUSE SUSE-SR:2011:007 2011-04-19
openSUSE openSUSE-SU-2011:0347-1 2011-04-18
CentOS CESA-2011:0370 2011-04-14
Debian DSA-2201-1 2011-03-23
CentOS CESA-2011:0370 2011-03-22
Red Hat RHSA-2011:0370-01 2011-03-21
Red Hat RHSA-2011:0369-01 2011-03-21
Pardus 2011-57 2011-03-21
Fedora FEDORA-2011-2620 2011-03-04
Fedora FEDORA-2011-2632 2011-03-04
Mandriva MDVSA-2011:044 2011-03-08

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds