LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Enforcing password strength

By Jake Edge
October 12, 2011

There have been a lot of high-profile site compromises of late (kernel.org, Linux.com, MySQL, WineHQ, ...), most or all of which have led to password disclosure. Hopefully all of the disclosed passwords were stored as hash values, but, even so, sufficiently motivated attackers may well be able to crack some of the passwords via brute force or other means. Because passwords are often reused between sites, these compromises have made projects and others concerned about the security of the passwords granting access to their sites.

That concern led Kevin Fenzi of the Fedora infrastructure team to put out a message noting that all Fedora Account System (FAS) users are required to change their password (and SSH public keys, more about that below). As Fenzi said, the password change is not because of any known compromise of the Fedora infrastructure, but is, instead, a reaction to the recent compromises: "due to the large number of high profile sites with security breaches in recent months, that this is a great time for all Fedora contributors and users to review their security settings and move to 'best practices' on their machines." Part of those "best practices" is to have a strong password, so Fedora is enforcing some rules on the new passwords:

New Password Rules:
  • Nine or more characters with lower and upper case letters, digits and punctuation marks.
  • Ten or more characters with lower and upper case letters and digits.
  • Twelve or more characters with lower case letters and digits
  • Twenty or more characters with all lower case letters.
  • No maximum length.

I asked Fenzi in an email where the rules came from, and he pointed me to a Fedora infrastructure bug ticket and the report [PDF] from the University of Amsterdam that it references. That report looks at various password cracking methods and estimates that using those guidelines (actually just the first three) will result in passwords that will take ten years or more to crack at 2 billion guesses per second. That rate was an average of what the researchers found that a modern GPU-equipped system could guess for several different hash algorithms.

As Przemek Klosowski points out, the number of possibilities for each kind of password differ widely. There is a math error in the length-12 case (should be (24+10)^12), and evidently Klosowski is only considering 24 letters, rather than the 26 in English, but his conclusion still stands: the number of possibilities are ten orders of magnitude apart from the first to the last rule. In the end, that doesn't really matter, as long as the weakest choice is sufficient.

Most who commented on the requirement were not particularly annoyed by the password change mandate, but the same cannot be said about the SSH key requirement. SSH users may tend to be more security savvy and are thus less likely to have lost control of their private SSH key than they are to have an easily cracked password—though of course that's no guarantee. But if the private SSH key that corresponds to the public key installed on the FAS servers has been compromised, it's likely that's because the owner's system has been breached. If that's the case, generating a new SSH key on a compromised system will likely only result in another compromised key. In addition, a massive SSH key flag day has its own dangers as Simo Sorce points out:

OTOH with a massive key change you have no reasonable way to monitor suspicious key replacement activity. Remember that ssh keys can be uploaded by simply knowing the FAS account password which is arguably much simpler to snatch as we have many systems that require such passwords in various different ways.

There is a strong belief that the kernel.org compromise was done via a compromised SSH key, however, so the infrastructure team is requiring folks to change their keys. Many are not happy about it, including Sorce who goes on to say:

The problem is that blindly changing keys if a contributor is being careless accomplishes exactly nothing, and just burdens all careful ones.

If you have evidence of contributors being careless with SSH keys the only recourse is to identify and educate the offenders requiring them to change those keys and not have a 'hit 100 to educate 1' policy that serves little or no purpose.

Sorce's complaint is a reasonable one. Unfortunately, it's hard to know whose keys may have been compromised (or, indeed, if any have been compromised at all) as several folks mentioned. By bringing it up and requiring everyone to change their keys, it may result in better security—and will at least raise the awareness level of the problem, which could result in better security practices by some who were being lax. It is undoubtedly annoying to those who have been careful with their keys, but it isn't that hard to generate and use a new key, even if it is only used for FAS.

Raising the level of awareness of these issues is perhaps the only good thing that has come from these high-profile break-ins. It is pretty easy to get complacent about security, reuse passwords on many sites, have password-less SSH keys, and so on. Events like the kernel.org breach can help break us all of our lax security habits. Certainly many sites, projects, and organizations—even those who haven't suffered a breach—are looking at their security practices; it's a good time for individuals to do so as well.

Passwords are only part of the story, of course, but they tend to be on the "front-line" of the security of our systems, so it is a good place to start. As xkcd so eloquently put it, the time for relatively short but "hard" to guess passwords may well be behind us: pass phrases are more easily remembered and less easily cracked. It's good to see that Fedora is not enforcing a limit on the password length, it's likely that many other sites do have a fairly short limit that will make using pass phrases harder. The Fedora rules do provide some good guidelines to follow when creating passwords or phrases.

Having too many passwords is almost as bad as having too few, because managing them securely can be quite a headache. One suggestion that Fenzi made is to use a password manager program like "revelation, gnome-keyring, seahorse, or keepassx". Looking more closely at those kinds of applications is on my to-do list, for both personal and professional reasons. Look for an article on that topic to appear on your virtual doorstep in the near future.

Comments (36 posted)

Brief items

Security quotes of the week

The drones are still flying over warzones from Afghanistan to Pakistan to Yemen. There's no sign, yet, that the virus either damaged any of the systems associated with the remotely-piloted aircraft or transmitted sensitive information outside the military chain of command — although three military insiders caution that a full-blown, high-level investigation into the virus is only now getting underway.

Nevertheless, the virus has sparked a bit of a firestorm in military circles. Not only were officials in charge kept out of the loop about an infection in America's weapon and surveillance system of choice, but the surprise surrounding that infection highlights a flaw in the way the U.S. military secures its information infrastructure: There's no one in the Defense Department with his hand on the network switch. In fact, there is no one switch to speak of.

-- Wired reports on a virus infecting US drone aircraft

If having a keylogger on a weapons system's command-and-control console is "benign" we don't want to know what "malicious" is — though perhaps the operators of the Iranian reactor at Beshehr could share some of their experiences.
-- Marcus J. Ranum

To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build "backdoors" into their products. If Mueller's wish were granted, the FBI would gain undetected real-time access to suspects' Skype calls, Facebook chats, and other online communications—and in "clear text," the industry lingo for unencrypted data. Backdoors, in other words, would make the Internet — and especially its burgeoning social media sector — "wiretappable."
-- Evgeny Morozov reviews Susan Landau's Surveillance or Security? (via Bruce Schneier)

Comments (none posted)

An analysis of alleged German governmental malware

The Chaos Computer Club claims to have analyzed a rootkit used by the German government. "The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet."

Comments (25 posted)

WineHQ database compromised

Codeweavers has announced that access to the WineHQ database has been compromised. "On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database). Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked." Anybody who has reused a password stored there probably wants to make some changes fairly soon.

Comments (29 posted)

New vulnerabilities

apache: mod_proxy reverse proxy exposure

Package(s):apache CVE #(s):CVE-2011-3368
Created:October 10, 2011 Updated:November 10, 2011
Description: From the Mandriva advisory:

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

Alerts:
Ubuntu USN-1259-1 2011-11-11
CentOS CESA-2011:1392 2011-11-09
openSUSE openSUSE-SU-2011:1217-1 2011-11-04
SUSE SUSE-SU-2011:1215-1 2011-11-04
SUSE SUSE-SU-2011:1229-1 2011-11-09
Scientific Linux SL-http-20111020 2011-10-20
Scientific Linux SL-http-20111020 2011-10-20
CentOS CESA-2011:1392 2011-10-20
Red Hat RHSA-2011:1391-01 2011-10-20
Red Hat RHSA-2011:1392-01 2011-10-20
Mandriva MDVSA-2011:144 2011-09-08
Debian DSA-2405-1 2012-02-06
openSUSE openSUSE-SU-2012:0248-1 2012-02-09
openSUSE openSUSE-SU-2012:0212-1 2012-02-09
Slackware SSA:2012-041-01 2012-02-10
Red Hat RHSA-2012:0128-01 2012-02-13
CentOS CESA-2012:0128 2012-02-14
Oracle ELSA-2012-0128 2012-02-14
Scientific Linux SL-http-20120214 2012-02-14
Fedora FEDORA-2012-1598 2012-02-21
Red Hat RHSA-2012:0323-01 2012-02-21
Fedora FEDORA-2012-1642 2012-03-06
Scientific Linux SL-http-20120306 2012-03-06
Oracle ELSA-2012-0323 2012-03-09
Gentoo 201206-25 2012-06-24
openSUSE openSUSE-SU-2013:0243-1 2013-02-05
openSUSE openSUSE-SU-2013:0248-1 2013-02-05

Comments (none posted)

cups: arbitrary code execution

Package(s):cups CVE #(s):CVE-2011-3170
Created:October 10, 2011 Updated:October 12, 2011
Description: From the Mandriva advisory:

The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896 (CVE-2011-3170).

Alerts:
Debian DSA-2354-1 2011-11-28
Mandriva MDVSA-2011:147 2011-10-11
Gentoo 201207-10 2012-07-09

Comments (none posted)

cyrus-imapd: access restriction bypass

Package(s):cyrus-imapd-2.2 CVE #(s):CVE-2011-3372
Created:October 7, 2011 Updated:October 14, 2011
Description:

From the Debian advisory:

CVE-2011-3372: Stefan Cornelius of Secunia Research discovered that the command processing of the NNTP server implementation (nttpd) of cyrus-imapd is not properly implementing access restrictions for certain commands and is not checking for a complete, successful authentication. An attacker can use this flaw to bypass access restrictions for some commands and, e.g. exploit CVE-2011-3208 without proper authentication.

Alerts:
Scientific Linux SL-cyru-20111201 2011-12-01
Oracle ELSA-2011-1508 2011-12-01
Oracle ELSA-2011-1508 2011-12-01
Oracle ELSA-2011-1508 2011-12-01
CentOS CESA-2011:1508 2011-12-01
CentOS CESA-2011:1508 2011-12-01
Red Hat RHSA-2011:1508-01 2011-12-01
openSUSE openSUSE-SU-2011:1170-1 2011-10-24
Mandriva MDVSA-2011:149 2011-10-14
Debian DSA-2318-1 2011-10-06

Comments (none posted)

kdelibs: certificate spoofing

Package(s):kdelibs CVE #(s):CVE-2011-3365 CVE-2011-3366
Created:October 11, 2011 Updated:November 10, 2011
Description: From the KDE advisory:

When displaying a security dialog with a certificate, KSSL does not properly force its QLabels to use QLabel::PlainText. As a result, if given a certificate containing rich text in its fields, it will render the rich text.

Specifically, a certificate containing a common name (CN) that has a table element will cause the second line of the table to be displayed. This can allow spoofing of the certificate's common name.

Alerts:
CentOS CESA-2011:1385 2011-11-09
Mandriva MDVSA-2011:162 2011-11-01
Ubuntu USN-1248-1 2011-10-25
Scientific Linux SL-kdel-20111019 2011-10-19
CentOS CESA-2011:1385 2011-10-19
Red Hat RHSA-2011:1385-01 2011-10-19
openSUSE openSUSE-SU-2011:1135-1 2011-10-17
Scientific Linux SL-kdel-20111011 2011-10-11
Red Hat RHSA-2011:1364-01 2011-10-11

Comments (none posted)

kernel: two information leaks

Package(s):kernel CVE #(s):CVE-2011-1161 CVE-2011-1162
Created:October 6, 2011 Updated:November 28, 2011
Description: According to the Red Hat bugzilla entry, both of these are information leaks of some kind in the TPM driver.
Alerts:
Ubuntu USN-1311-1 2011-12-19
Ubuntu USN-1303-1 2011-12-13
Ubuntu USN-1299-1 2011-12-13
Ubuntu USN-1294-1 2011-12-08
Scientific Linux SL-kern-20111129 2011-11-29
CentOS CESA-2011:1479 2011-11-30
Oracle ELSA-2011-1479 2011-11-30
Red Hat RHSA-2011:1479-01 2011-11-29
Oracle ELSA-2011-1465 2011-11-28
Oracle ELSA-2011-2033 2011-11-28
Oracle ELSA-2011-2033 2011-11-28
Scientific Linux SL-kern-20111122 2011-11-22
Red Hat RHSA-2011:1465-01 2011-11-22
Fedora FEDORA-2011-13809 2011-10-05
Ubuntu USN-1318-1 2012-01-05
Ubuntu USN-1319-1 2012-01-05
Red Hat RHSA-2012:0010-01 2012-01-10
Ubuntu USN-1325-1 2012-01-11
Ubuntu USN-1323-1 2012-01-11
Ubuntu USN-1332-1 2012-01-13
Ubuntu USN-1337-1 2012-01-23
Ubuntu USN-1341-1 2012-01-23
Ubuntu USN-1345-1 2012-01-24
Oracle ELSA-2012-0150 2012-03-07

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-2521 CVE-2011-2898
Created:October 6, 2011 Updated:October 12, 2011
Description:

From the Red Hat advisory:

A flaw was found in the Linux kernel's Performance Events implementation. It could falsely lead the NMI (Non-Maskable Interrupt) Watchdog to detect a lockup and panic the system. A local, unprivileged user could use this flaw to cause a denial of service (kernel panic) using the perf tool. (CVE-2011-2521, Moderate)

Flaws were found in the tpacket_rcv() and packet_recvmsg() functions in the Linux kernel. A local, unprivileged user could use these flaws to leak information to user-space. (CVE-2011-2898, Low)

Alerts:
Scientific Linux SL-kern-20111005 2011-10-05
Red Hat RHSA-2011:1350-01 2011-10-05
Red Hat RHSA-2012:0010-01 2012-01-10
Debian DSA-2389-1 2012-01-15
openSUSE openSUSE-SU-2012:0206-1 2012-02-09
openSUSE openSUSE-SU-2012:0236-1 2012-02-09

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-3353
Created:October 10, 2011 Updated:November 28, 2011
Description: From the SUSE advisory:

In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system.

Alerts:
Oracle ELSA-2011-1465 2011-11-28
Oracle ELSA-2011-2033 2011-11-28
Oracle ELSA-2011-2033 2011-11-28
Scientific Linux SL-kern-20111122 2011-11-22
Red Hat RHSA-2011:1465-01 2011-11-22
openSUSE openSUSE-SU-2011:1222-1 2011-11-08
openSUSE openSUSE-SU-2011:1221-1 2011-11-08
SUSE SUSE-SA:2011:041 2011-10-17
SUSE SUSE-SU-2011:1101-1 2011-10-10
SUSE SUSE-SU-2011:1100-1 2011-10-10
Ubuntu USN-1319-1 2012-01-05
Red Hat RHSA-2012:0010-01 2012-01-10
Ubuntu USN-1325-1 2012-01-11
Ubuntu USN-1329-1 2012-01-13
Debian DSA-2389-1 2012-01-15
Ubuntu USN-1361-1 2012-02-13
Ubuntu USN-1362-1 2012-02-13
Ubuntu USN-1386-1 2012-03-06
Ubuntu USN-1387-1 2012-03-06
SUSE SUSE-SU-2012:0364-1 2012-03-14

Comments (none posted)

libxml2: denial of service

Package(s):libxml2 CVE #(s):CVE-2011-2821 CVE-2011-2834
Created:October 10, 2011 Updated:September 27, 2012
Description: From the Mandriva advisory:

Double free vulnerabilities in libxml2 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression and via vectors related to XPath handling (CVE-2011-2821, CVE-2011-2834).

Alerts:
Scientific Linux SL-libx-20111206 2011-12-06
Red Hat RHSA-2011:1749-03 2011-12-06
Gentoo 201111-01 2011-11-01
Gentoo 201110-26 2011-10-26
Mandriva MDVSA-2011:145 2011-10-09
Red Hat RHSA-2012:0016-01 2012-01-11
Red Hat RHSA-2012:0017-01 2012-01-11
CentOS CESA-2012:0016 2012-01-11
CentOS CESA-2012:0017 2012-01-11
openSUSE openSUSE-SU-2012:0073-1 2012-01-12
Oracle ELSA-2012-0016 2012-01-12
Scientific Linux SL-libx-20120111 2012-01-11
Scientific Linux SL-libx-20120112 2012-01-12
Oracle ELSA-2012-0017 2012-01-12
Ubuntu USN-1334-1 2012-01-19
Debian DSA-2394-1 2012-01-26
Oracle ELSA-2012-0324 2012-03-09
Fedora FEDORA-2012-13820 2012-09-26
Fedora FEDORA-2012-13824 2012-09-27
Red Hat RHSA-2013:0217-01 2013-01-31
CentOS CESA-2013:0217 2013-02-01
Oracle ELSA-2013-0217 2013-02-01
Scientific Linux SL-ming-20130201 2013-02-01

Comments (none posted)

openswan: denial of service

Package(s):openswan CVE #(s):CVE-2011-3380
Created:October 6, 2011 Updated:October 14, 2011
Description:

From the Red Hat advisory:

A NULL pointer dereference flaw was found in the way Openswan's pluto IKE daemon handled certain error conditions. A remote, unauthenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. (CVE-2011-3380)

Alerts:
Fedora FEDORA-2011-13862 2011-10-05
Fedora FEDORA-2011-13864 2011-10-05
Scientific Linux SL-open-20111005 2011-10-05
Red Hat RHSA-2011:1356-01 2011-10-05

Comments (none posted)

php: arbitrary code execution

Package(s):php CVE #(s):CVE-2011-3379
Created:October 10, 2011 Updated:May 10, 2012
Description: From the Red Hat bugzilla:

It was reported that due to changes in the is_a() function PHP 5.3.7 and 5.3.8 became vulnerable to remote arbitrary code execution when is_a() is used in certain ways. Due to the __autoload() implementation, if a user were able to upload a crafted file, it could be possible to pass the contents of the file as an argument to the __autoload() function which could in turn use that argument as a file to include(). If there was no adequate checking or enforcement of the file to load being, local, this could lead to including a remote script from a remote web site.

Alerts:
Mandriva MDVSA-2011:166 2011-11-03
Fedora FEDORA-2011-13458 2011-09-29
Fedora FEDORA-2011-13446 2011-09-29
Mandriva MDVSA-2012:071 2012-05-10
Gentoo 201209-03 2012-09-23

Comments (none posted)

xorg-x11-server: multiple vulnerabilities

Package(s):xorg-x11 CVE #(s):CVE-2010-4818 CVE-2010-4819
Created:October 7, 2011 Updated:February 28, 2012
Description:

From the Red Hat advisory:

Multiple input sanitization flaws were found in the X.Org GLX (OpenGL extension to the X Window System) extension. A malicious, authorized client could use these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2010-4818)

An input sanitization flaw was found in the X.Org Render extension. A malicious, authorized client could use this flaw to leak arbitrary memory from the X.Org server process, or possibly crash the X.Org server. (CVE-2010-4819)

Alerts:
CentOS CESA-2011:1360 2011-11-09
Ubuntu USN-1232-3 2011-10-20
Ubuntu USN-1232-2 2011-10-19
Ubuntu USN-1232-1 2011-10-18
Scientific Linux SL-xorg-20111006 2011-10-06
Scientific Linux SL-xorg-20111006 2011-10-06
CentOS CESA-2011:1359 2011-10-06
Red Hat RHSA-2011:1359-01 2011-10-06
Red Hat RHSA-2011:1360-01 2011-10-06
openSUSE openSUSE-SU-2012:0307-1 2012-02-27

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds