LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

WebGL vulnerabilities

By Jake Edge
May 25, 2011

A recent report that highlighted some potential and actual security vulnerabilities in WebGL has been widely circulated. It should probably not come as a surprise that a new whiz-bang feature that is meant to allow web content to interact with complex 3D graphics hardware might lead to problems. Since it is all-but-certain that browser makers will be enabling—in many cases already have enabled—this feature, it will be interesting to see how the security holes will be filled as they make their way from theoretical to actual vulnerabilities.

WebGL is a low-level 3D graphics API that is based on the OpenGL ES 2.0 standard implemented by libraries for most fairly recent 3D graphics cards. For browsers with WebGL support, the HTML canvas element can be used to display accelerated graphics in the browser that can be controlled via JavaScript. For gaming, exploring 3D landscapes, undoubtedly annoying advertisements, and plenty of other uses, WebGL will be a welcome addition to web browsers. But allowing arbitrary content flowing across the internet to interact with complex hardware certainly seems like it might lead to security problems.

Graphics hardware typically consists of one or more graphics processing units (GPUs) that are accessed through a driver. The driver provides some standardized interface to higher-level libraries that implement a graphics standard like OpenGL. But, in order to provide the most flexibility for graphics programmers, much of what gets handed off to the libraries are special-purpose programs called shaders. Shaders are written to handle the complexities of the graphics to be rendered, and the libraries and drivers turn those programs into the proper form for the GPU(s) in the hardware.

Essentially it means that malicious web sites can craft semi-arbitrary programs to run on the hardware of the user. That alone should be enough to give one pause from a security perspective. One obvious outcome is that malicious shaders could be written to essentially monopolize the graphics hardware, to the detriment of anything else that's trying to write to the display (e.g. other windows). In the worst case, it could lead to the user having to reinitialize the graphics hardware—possibly requiring a reboot.

That kind of denial of service could be extremely annoying to users, but doesn't really directly impact the security of the desktop. It would not leak user data to the malicious site, though it could potentially result in data loss depending on what else the user was doing at the time. It is, in some ways, similar to the problems of malicious, infinitely looping JavaScript, which can lock up a browser (but not generally the whole desktop). Running browser tabs as separate processes, as Chromium does and Firefox is moving to, also mitigates the JavaScript problem to a large extent.

But that's not the only problem that the report from Context, a UK-based security consulting company, outlined. Another potential attack is a cross-domain image theft. When canvas elements include cross-domain content, say an image from another site, there is a "origin-clean" flag that gets cleared in the browser which disables some of the JavaScript functions that might be used to extract the, potentially sensitive, image data from the other domain. However, a malicious canvas element could create shaders that will effectively leak the image contents.

The attack relies on a technique long-used to extract cryptographic keys by doing a timing analysis. If shaders were written to take longer based on the "brightness" of a pixel, JavaScript could be used to regenerate the image based on how long each pixel takes to render. It is a complicated attack to do, and finding real-world exploits using it may be somewhat convoluted, but it is a cross-domain vulnerability. An example that Context gives is a victim site that puts up a specific profile image based on the session information stored in a browser cookie for the site, which gets sent to the site as part of the request for the image. The malicious site that included the victim image couldn't get at the cookie, but could infer the logged-in user by comparing the displayed image to a list of known "interesting" profile images.

Mozilla hacker JP Rosevear responded to Context's report noting that the cross-domain image theft problem is real, even though it may be difficult to exploit in practice: "While it is not immediately obvious that it can be exploited in a practical attack right now, experience in security shows that this is a matter of when, not if." His suggested fix is the cross-origin resource sharing (CORS) proposal that would allow sites to explicitly list which other sites can include their content.

The denial of service problem is harder, though. The only real defense against maliciously written shaders is to validate that code in ways that, hopefully, eliminates bad shaders. That, of course, is something of an arms race, so Rosevear also suggests that some kind of user confirmation before displaying WebGL content may be required.

There are also some efforts afoot to try to handle denial of service issues in the hardware itself. GL_ARB_robustness (and GL_ARB_robustness_2) are mechanisms that the hardware makers can use to detect these kinds of problems and reset the hardware when they occur. As Context's FAQ indicates, though, that may not be real solution in the long term:

The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code. Resetting the graphics card isn't guaranteed to be a trouble free operation; all other users of the graphics subsystem will need to correctly handle the event. The graphics stack would have to ensure that any hardware resources are recreated before use to guard against another application misusing it. This operation, while not causing a DoS [denial of service] directly, could still indirectly [affect] the entire system and the applications running on it.

From a security standpoint, allowing any random web site to send code that is more-or-less directly executed on system hardware is always going to be somewhat problematic. Rosevear points out that there is separation between the components of WebGL that should provide some isolation: "Nevertheless, claims of kernel level hardware access via WebGL are speculative at best since WebGL shaders run on the GPU and shader compilers run in user mode." That assumes that the libraries and drivers don't have exploitable bugs of their own, of course. As Rosevear notes, "significant attacks against [WebGL] may be possible". This is clearly an area that bears watching.

Comments (15 posted)

Brief items

Security quotes of the week

And per-system-call permissions are very dubious. What system calls don't you want to succeed? That ioctl? You just made it impossible to do a modern graphical application. Yet the kind of thing where we would _want_ to help users is in making it easier to sandbox something like the adobe flash player. But without accelerated direct rendering, that's not going to fly, is it?

So I'm sorry for throwing cold water on you guys, but the whole "let's come up with a new security gadget" thing just makes me go "oh no, not again".

-- Linus Torvalds

I may be one of very few people in this room who actually makes his living personally by creating what these gentlemen are pleased to call "intellectual property." I don't regard my expression as a form of property. Property is something that can be taken from me. If I don't have it, somebody else does.

Expression is not like that. The notion that expression is like that is entirely a consequence of taking a system of expression and transporting it around, which was necessary before there was the Internet, which has the capacity to do this infinitely at almost no cost.

-- John Perry Barlow speaking at the e-G8 conference

Suppose that an attacker knows some of your past purchases on a site: for example, past item reviews, social networking profiles, or real-world interactions are a rich source of information. New purchases will affect the perceived similarity between the new items and your past purchases, possibility causing visible changes to the recommendations provided for your previously purchased items. We demonstrate that an attacker can leverage these observable changes to infer your purchases. Among other things, these attacks are complicated by the fact that multiple users simultaneously interact with a system and updates are not immediate following a transaction.
-- Joe Calandrino in the Freedom to Tinker blog

Comments (13 posted)

Successful timing attacks on elliptic curve cryptography (The H)

The H reports on a successful timing attack against the Elliptic Curve digital signature algorithm in OpenSSL:

For their tests, the researchers set up an SSL server with OpenSSL and measured the time it took to create a digital signature using Elliptic Curve DSA (ECDSA). This allowed them to calculate the server's secret key. When establishing an SSL connection via the local loopback interface, they managed to do this almost instantaneously. While packet transfer times on a local network caused measurement uncertainties, these uncertainties could be compensated for with some further calculations. Overall, the attack described in Remote Timing Attacks are Still Practical [PDF] also proved feasible over a network.

No working countermeasures have so far been found; the US-CERT advises that ECDSA should no longer be used for digital signatures. To prevent this type of attack, the researchers recommend implementing time-independent functions for operations on elliptic curves.

Comments (6 posted)

OneSwarm: Privacy preserving peer-to-peer data sharing

A BitTorrent-compatible peer-to-peer application, with privacy preservation features, called OneSwarm, has released version 0.7.5. The code is available on github and uses source address rewriting and SSL encryption to protect the privacy of its users. "OneSwarm is a new peer-to-peer tool that provides users with explicit control over their privacy by letting them determine how data is shared. Instead of sharing data indiscriminately, data shared with OneSwarm can be made public, it can be shared with friends, shared with some friends but not others, and so forth. We call this friend-to-friend (F2F) data sharing."

Comments (none posted)

New vulnerabilities

apr: denial of service

Package(s):apr CVE #(s):CVE-2011-1928
Created:May 20, 2011 Updated:August 2, 2011
Description: From the Mandriva advisory:

It was discovered that the fix for CVE-2011-0419 under certain conditions could cause a denial-of-service (DoS) attack in APR.

Alerts:
SUSE SUSE-SU-2011:1229-1 2011-11-09
openSUSE openSUSE-SU-2011:0859-1 2011-08-02
Fedora FEDORA-2011-7340 2011-05-25
Fedora FEDORA-2011-6918 2011-05-13
Fedora FEDORA-2011-6750 2011-05-09
CentOS CESA-2011:0844 2011-06-01
CentOS CESA-2011:0844 2011-05-31
Red Hat RHSA-2011:0844-01 2011-05-31
Slackware SSA:2011-145-01 2011-05-26
Ubuntu USN-1134-1 2011-05-24
Mandriva MDVSA-2011:095 2011-05-20
Mandriva MDVSA-2011:095-1 2011-05-23
Debian DSA-2237-2 2011-05-21

Comments (none posted)

cyrus-imapd: man-in-the-middle attack

Package(s):cyrus-imapd CVE #(s):CVE-2011-1926
Created:May 24, 2011 Updated:August 15, 2011
Description: From the Mandriva advisory:

The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.

Alerts:
CentOS CESA-2011:0859 2011-08-14
openSUSE openSUSE-SU-2011:0800-1 2011-07-19
Debian DSA-2257-1 2011-06-11
Fedora FEDORA-2011-7193 2011-05-19
Fedora FEDORA-2011-7217 2011-05-19
Scientific Linux SL-cyru-20110608 2011-06-08
CentOS CESA-2011:0859 2011-06-08
Red Hat RHSA-2011:0859-01 2011-06-08
Debian DSA-2242-1 2011-05-25
Mandriva MDVSA-2011:100 2011-05-24

Comments (none posted)

feh: remote code execution

Package(s):feh CVE #(s):CVE-2010-2246
Created:May 25, 2011 Updated:October 14, 2011
Description: An attacker can cause the feh image viewer to execute arbitrary code if the user can be made to open a specially-crafted URL.
Alerts:
Gentoo 201110-08 2011-10-13
Fedora FEDORA-2011-0111 2011-01-04
Fedora FEDORA-2011-0074 2011-01-04

Comments (none posted)

gnome-screensaver: lock bypass

Package(s):gnome-screensaver CVE #(s):CVE-2010-0285
Created:May 19, 2011 Updated:May 25, 2011
Description:

From the Mandriva advisory:

gnome-screensaver 2.14.3, 2.22.2, 2.27.x, 2.28.0, and 2.28.3, when the X configuration enables the extend screen option, allows physically proximate attackers to bypass screen locking, access an unattended workstation, and view half of the GNOME desktop by attaching an external monitor (CVE-2010-0285).

Alerts:
Mandriva MDVSA-2011:093 2011-05-18

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-0999 CVE-2011-1023
Created:May 19, 2011 Updated:July 14, 2011
Description:

From the Red Hat advisory:

* A flaw was found in the Linux kernel's Transparent Huge Pages (THP) implementation. A local, unprivileged user could abuse this flaw to allow the user stack (when it is using huge pages) to grow and cause a denial of service. (CVE-2011-0999, Moderate)

* A flaw was found in the transmit methods (xmit) for the loopback and InfiniBand transports in the Linux kernel's Reliable Datagram Sockets (RDS) implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-1023, Moderate)

Alerts:
Ubuntu USN-1167-1 2011-07-13
Red Hat RHSA-2011:0883-01 2011-06-21
Scientific Linux SL-kern-20110519 2011-05-19
Red Hat RHSA-2011:0542-01 2011-05-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-1173 CVE-2011-1585 CVE-2011-1593 CVE-2011-1598 CVE-2011-1748 CVE-2011-1759 CVE-2011-1767 CVE-2011-1770 CVE-2011-1776 CVE-2011-2022
Created:May 25, 2011 Updated:November 21, 2011
Description: This set of kernel vulnerabilities includes information disclosure from the Acorn Econet protocol implementation (CVE-2011-1173), CIFS authentication bypass (CVE-2011-1585), denial of service (CVE-2011-1593, CVE-2011-1767), null pointer dereference (CVE-2011-1598, CVE-2011-1748), privilege escalation (CVE-2011-1759), remote denial of service and information disclosure (CVE-2011-1770), information disclosure via crafted storage device (CVE-2011-1776) and privilege escalation (CVE-2011-2022).
Alerts:
Oracle ELSA-2011-2037 2011-12-15
Ubuntu USN-1280-1 2011-11-24
Ubuntu USN-1278-1 2011-11-24
Ubuntu USN-1271-1 2011-11-21
Ubuntu USN-1272-1 2011-11-21
Ubuntu USN-1256-1 2011-11-09
openSUSE openSUSE-SU-2011:1222-1 2011-11-08
Ubuntu USN-1268-1 2011-11-21
openSUSE openSUSE-SU-2011:1221-1 2011-11-08
SUSE SUSE-SA:2011:042 2011-10-28
SUSE SUSE-SU-2011:1195-1 2011-10-28
Ubuntu USN-1241-1 2011-10-25
Scientific Linux SL-kern-20111020 2011-10-20
CentOS CESA-2011:1386 2011-10-21
Red Hat RHSA-2011:1386-01 2011-10-20
Ubuntu USN-1228-1 2011-10-12
Ubuntu USN-1227-1 2011-10-11
Scientific Linux SL-kern-20111005 2011-10-05
Red Hat RHSA-2011:1350-01 2011-10-05
Ubuntu USN-1225-1 2011-10-04
Ubuntu USN-1220-1 2011-09-29
Ubuntu USN-1219-1 2011-09-29
SUSE SUSE-SU-2011:1058-1 2011-09-21
Ubuntu USN-1212-1 2011-09-21
SUSE SUSE-SA:2011:040 2011-09-20
Ubuntu USN-1205-1 2011-09-13
Ubuntu USN-1204-1 2011-09-13
Ubuntu USN-1202-1 2011-09-13
Ubuntu USN-1201-1 2011-09-13
Red Hat RHSA-2011:1253-01 2011-09-12
SUSE SUSE-SU-2011:0984-3 2011-09-02
SUSE SUSE-SU-2011:0984-2 2011-09-02
SUSE SUSE-SA:2011:038 2011-09-01
Scientific Linux SL-kern-20110823 2011-08-23
Red Hat RHSA-2011:1189-01 2011-08-23
Fedora FEDORA-2011-11103 2011-08-18
SUSE SUSE-SU-2011:0899-1 2011-08-12
SUSE SUSE-SA:2011:034 2011-08-12
Ubuntu USN-1187-1 2011-08-09
Ubuntu USN-1186-1 2011-08-09
openSUSE openSUSE-SU-2011:0861-1 2011-08-02
openSUSE openSUSE-SU-2011:0860-1 2011-08-02
Scientific Linux SL-kern-20110715 2011-07-15
SUSE SUSE-SU-2011:0832-1 2011-07-25
SUSE SUSE-SA:2011:031 2011-07-25
CentOS CESA-2011:0927 2011-07-18
Ubuntu USN-1170-1 2011-07-15
Ubuntu USN-1168-1 2011-07-15
Red Hat RHSA-2011:0927-01 2011-07-15
Ubuntu USN-1167-1 2011-07-13
Ubuntu USN-1161-1 2011-07-13
Ubuntu USN-1159-1 2011-07-13
Scientific Linux SL-kern-20110712 2011-07-12
Red Hat RHSA-2011:0928-01 2011-07-12
Ubuntu USN-1162-1 2011-06-29
Ubuntu USN-1164-1 2011-07-06
SUSE SUSE-SU-2011:0737-1 2011-07-05
Ubuntu USN-1183-1 2011-08-03
SUSE SUSE-SU-2011:0711-1 2011-06-29
Ubuntu USN-1160-1 2011-06-28
Debian DSA-2264-1 2011-06-18
Fedora FEDORA-2011-7551 2011-05-26
Ubuntu USN-1146-1 2011-06-09
Scientific Linux SL-kern-20110601 2011-06-01
Fedora FEDORA-2011-7823 2011-06-03
Red Hat RHSA-2011:0836-01 2011-06-01
Debian DSA-2240-1 2011-05-24
openSUSE openSUSE-SU-2012:0206-1 2012-02-09
openSUSE openSUSE-SU-2012:0236-1 2012-02-09
Ubuntu USN-1383-1 2012-03-06
Ubuntu USN-1394-1 2012-03-07
openSUSE openSUSE-SU-2012:0799-1 2012-06-28
openSUSE openSUSE-SU-2012:1439-1 2012-11-05

Comments (none posted)

kvm: code execution

Package(s):kvm CVE #(s):CVE-2011-1751
Created:May 19, 2011 Updated:July 7, 2011
Description:

From the openSUSE advisory:

By causing a hot-unplug of the pci-isa bridge from within guests the qemu process could access already freed memory. A privileged user inside the guest could exploit that to crash the guest instance or potentially execute arbitrary code on the host (CVE-2011-1751).

Alerts:
Scientific Linux SL-qemu-20110519 2011-05-19
Ubuntu USN-1145-1 2011-06-09
SUSE SUSE-SR:2011:010 2011-05-31
Debian DSA-2241-1 2011-05-24
Red Hat RHSA-2011:0534-01 2011-05-19
openSUSE openSUSE-SU-2011:0510-1 2011-05-19
Gentoo 201210-04 2012-10-18

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2011-1765 CVE-2011-1766
Created:May 23, 2011 Updated:May 25, 2011
Description: From the Fedora advisory:

Mediawiki 1.16.5 was released to correct two security flaws:

The first issue is yet another recurrence of the Internet Explorer 6 XSS vulnerability that caused the release of 1.16.4. It was pointed out that there are dangerous extensions with more than four characters, so the regular expressions we introduced had to be updated to match longer extensions. (CVE-2011-1765)

The second issue allows unauthenticated users to gain additional rights, on wikis where $wgBlockDisablesLogin is enabled. By default, it is disabled. The issue occurs when a malicious user sends cookies which contain the user name and user ID of a "victim" account. In certain circumstances, the rights of the victim are loaded and persist throughout the malicious request, allowing the malicious user to perform actions with the victim's rights. (CVE-2011-1766)

Alerts:
Fedora FEDORA-2011-6775 2011-05-09
Fedora FEDORA-2011-6774 2011-05-09
Gentoo 201206-09 2012-06-21

Comments (none posted)

opera: memory corruption

Package(s):opera CVE #(s):
Created:May 20, 2011 Updated:June 24, 2011
Description: From the Opera advisory:

Framesets allow web pages to hold other pages inside them. Certain frameset constructs are not handled correctly when the page is unloaded, causing a memory corruption. To inject code, additional techniques will have to be employed.

Alerts:
openSUSE openSUSE-SU-2011:0688-1 2011-06-24
openSUSE openSUSE-SU-2011:0517-1 2011-05-20

Comments (none posted)

pure-ftpd: denial of service

Package(s):pure-ftpd CVE #(s):CVE-2011-0418
Created:May 19, 2011 Updated:June 21, 2011
Description:

From the Mandriva advisory:

A denial-of-service (DoS) attack related to glob brace expansion was discovered and fixed in pure-ftpd (CVE-2011-0418).

Alerts:
Gentoo 201110-25 2011-10-26
Fedora FEDORA-2011-7374 2011-05-25
Fedora FEDORA-2011-7434 2011-05-25
Mandriva MDVSA-2011:094 2011-05-19

Comments (none posted)

ruby: arbitrary code execution

Package(s):ruby CVE #(s):CVE-2011-0188
Created:May 23, 2011 Updated:August 15, 2011
Description: From the Mandriva advisory:

The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an integer truncation issue.

Alerts:
CentOS CESA-2011:0908 2011-08-14
CentOS CESA-2011:0909 2011-06-30
Scientific Linux SL-ruby-20110628 2011-06-28
Scientific Linux SL-ruby-20110628 2011-06-28
Red Hat RHSA-2011:0910-01 2011-06-28
Red Hat RHSA-2011:0909-01 2011-06-28
Scientific Linux SL-ruby-20110628 2011-06-28
Red Hat RHSA-2011:0908-01 2011-06-28
openSUSE openSUSE-SU-2011:0561-1 2011-05-31
openSUSE openSUSE-SU-2011:0556-1 2011-05-31
Mandriva MDVSA-2011:098 2011-05-23
Mandriva MDVSA-2011:097 2011-05-23
Ubuntu USN-1377-1 2012-02-27

Comments (none posted)

syslog-ng: denial of service

Package(s):syslog-ng CVE #(s):
Created:May 25, 2011 Updated:May 25, 2011
Description: The syslog-ng suffers from a minimally-described "PCRE input validation error" which can enable a denial of service attack.
Alerts:
Fedora FEDORA-2011-7176 2011-05-18

Comments (none posted)

thunar: denial of service

Package(s):thunar CVE #(s):CVE-2011-1588
Created:May 20, 2011 Updated:May 31, 2011
Description: From the openSUSE advisory:

Due to a format string error thunar could crash when copy&pasting a file name with format characters.

Alerts:
SUSE SUSE-SR:2011:010 2011-05-31
openSUSE openSUSE-SU-2011:0518-1 2011-05-20

Comments (none posted)

tigervnc: password disclosure

Package(s):tigervnc CVE #(s):CVE-2011-1775
Created:May 25, 2011 Updated:June 15, 2011
Description: The vncviewer program can be made to send a password to a malicious server without first verifying its X.509 certificate.
Alerts:
Scientific Linux SL-tige-20110615 2011-06-15
Fedora FEDORA-2011-6838 2011-05-11

Comments (none posted)

viewvc: resource-consumption attack

Package(s):viewvc CVE #(s):CVE-2009-5024
Created:May 24, 2011 Updated:May 31, 2011
Description: From the CVE entry:

ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.

Alerts:
SUSE SUSE-SR:2011:010 2011-05-31
Fedora FEDORA-2011-7198 2011-05-19
Fedora FEDORA-2011-7222 2011-05-19
Fedora FEDORA-2011-7185 2011-05-18
openSUSE openSUSE-SU-2011:0529-1 2011-05-24
Debian DSA-2563-1 2012-10-23

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds