Security

Loading signed kernel modules

Inserting loadable modules into a running kernel is clearly a convenient feature. It allows distributions to have relatively small kernels while still supporting a wide variety of hardware and use-cases, but it can also allow unwanted modules to be loaded in a way that may not be all that easy to detect. Those modules could simply be binary-only drivers that the distribution or service provides doesn't want to support—or they could be some kind of malware. A recently posted patch set will help to avoid those problems by giving the option of building a kernel that will only allow modules that have been cryptographically signed to be loaded, or to simply detect the presence of unsigned modules.

David Howells posted the patches, which are based on code that has been running in Fedora and RHEL kernels for years. Therefore, it should have been "thoroughly tested" Howells said in the final patch in the series (which also contains the module-signing.txt kernel Documentation file). The patch allows for signing modules using the RSA signature algorithm with any of the SHA family of hash algorithms.

The basic idea is that public keys can be built into the kernel and, if CONFIG_MODULE_SIG is enabled, used to check the validity of modules before they are loaded. If CONFIG_MODULE_SIG_FORCE is enabled at compile time (or enforcemodulesig=1 is passed on the kernel command line), only those modules that can be verified with one of the public keys built into the kernel will be loaded. If the "force" option is not used, unsigned modules will still be loaded. In either case, modules with corrupt or incorrect signatures, or those that are signed with a key that is not on the keyring, will be rejected.

In order to make that work, there needs to be a way to build signed modules. That is done by creating public and private keys in the top-level kernel directory (in kernel.pub and kernel.sec by default). The public key will be processed with the kernel's bin2c utility and written as crypto/signature/key.h. The public and secret key will then be used with GNU Privacy Guard (GPG) to sign the modules automatically as they are built. There are several options that can be passed on the make command line to govern the location of the key files as well as options to pass to gpg.

In addition, the modules can be stripped for inclusion into initial ramdisk images and debuginfo can be included in a separate ELF section that is not included in the signature calculation. That means that all of the variants of a particular module can share a single signature that is stored in the module itself (in the .module_sig ELF section). In addition, the output of /proc/modules has been changed to add a "U" to unsigned modules so that they can be detected.

The patch also modifies the kernel's crypto subsystem to allow for the new key type and to add an RSA signature verification algorithm. That requires using the multi-precision integer (MPI) library from GPG, which was reworked from the Red Hat version for kernel inclusion by Dmitry Kasatkin. That code is already in the security tree in order to support the Extended Verification Module (EVM) digital signature extension. It also requires a minimal parser for the OpenPGP format (which is the kind of keys and signatures that GPG generates).

There is also something of a chicken-and-egg problem. Many distributions have crypto and hash algorithms built as modules, but the RSA algorithm and whichever hash is being used to generate the signatures needs to be present or an enforcing kernel won't be able to load any modules at all. For that reason, the patches ensure that if module signatures are selected at compile time, the RSA and chosen hash algorithms are not built as modules themselves. Modules are then loaded in the usual way, with insmod, but the signature will be checked by suitably configured kernels.

There has been relatively little discussion or complaints about the patches in the three revisions that have been posted since Howells began the process in late November. H. Peter Anvin is concerned about adding a OpenPGP parser to the kernel, and Howells was quick to point out that the parser is just the minimal amount needed to pull keys and signatures out of OpenPGP-formatted data. Both Anvin and James Morris were unconvinced about the need for supporting the (now deprecated) DSA signature algorithm and Howells has pulled that code out in the most recent revision.

This is not the first time Howells has proposed these (or similar) changes as those efforts stretch back to (at least) 2004. He has now requested that the code be included into the Morris's security tree. If that happens, and no major complaints arise, we could potentially see signed module support in Linux 3.3.

While it is a useful feature, particularly for those trying to support Linux kernels without random drivers from who-knows-where, it only places another set of hurdles in front of malware authors. Since root privileges are required to load modules in the first place, a malware author will only need to find a way to insert code into the running kernel without using the module loading facility. Once upon a time, /dev/kmem could be used for that, but many distribution kernels don't support it any more. Prior to the advent of CONFIG_STRICT_DEVMEM, /dev/mem would have provided another way, but distributions are generally enabling that option as well. Exploiting some kind of kernel bug is the most probable route for these root-privileged attackers, but is certainly a more fragile approach than simply inserting a module.

Another potential use (or abuse depending on perspective) of the feature is for device makers or distributions to lock down their kernels. That would leave users who wish to add functionality (or remove anti-features) in the same place as the malware author: looking for a kernel bug to exploit. Of course, some users may just find a way to replace the kernel entirely in that scenario.

Comments (7 posted)

Brief items

Security quotes of the week

-- Moxie Marlinspike

-- Bruce Schneier

-- Dan Walsh debugs some problems that were causing RSA to recommend turning off SELinux

Comments (none posted)

Paper: Capability leaks in Android phones

Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang have published a paper [PDF] describing research they have done into the Android security model as implemented on actual handsets. "In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use. To identify these leaked permissions or capabilities, we have developed a tool called Woodpecker. Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission." The Google "Nexus" phones were the happy exception, with almost no leaks. (Seen on The H).

Comments (3 posted)

C|Net Download.Com accused of bundling Nmap with malware

Nmap hacker Fyodor has discovered that the download.com site is offering a version of Nmap (for Windows) with an installer that makes a number of unwelcome changes. "The way it works is that C|Net's download page offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer." One assumes they do similar things with other free programs. The number of LWN readers obtaining software from download.com is likely to be quite small, but it is still good to be aware of what's going on. This is why some projects adopt draconian trademark policies, unfortunately. (Thanks to Mattias Mattsson).

Full Story (comments: 38)

New vulnerabilities

clearsilver: arbitrary code execution

Package(s):	clearsilver	CVE #(s):	CVE-2011-4357
Created:	December 1, 2011	Updated:	December 23, 2011
Description:	From the Debian advisory: Leo Iannacone and Colin Watson discovered a format string vulnerability in the Python bindings for the Clearsilver HTML template system, which may lead to denial of service or the execution of arbitrary code.
Alerts:	Fedora FEDORA-2011-17040 2011-12-12 Fedora FEDORA-2011-17042 2011-12-12 Debian DSA-2355-1 2011-11-30

Comments (none posted)

colord: SQL injection

Package(s):	colord	CVE #(s):	CVE-2011-4349
Created:	December 5, 2011	Updated:	December 8, 2011
Description:	The colord daemon suffers from SQL injection vulnerabilities that could allow a local attacker to corrupt its databases or, possibly, databases belonging to other applications; see the Red Hat bugzilla entry for more information.
Alerts:	Ubuntu USN-1289-1 2011-12-07 Fedora FEDORA-2011-16451 2011-11-26 Fedora FEDORA-2011-16453 2011-11-26

Comments (none posted)

glibc: code execution

Package(s):	glibc	CVE #(s):	CVE-2009-5064
Created:	December 7, 2011	Updated:	December 7, 2011
Description:	From the Red Hat advisory: A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd.
Alerts:	Scientific Linux SL-glib-20111206 2011-12-06 Red Hat RHSA-2011:1526-03 2011-12-06 Red Hat RHSA-2012:0126-01 2012-02-13 Red Hat RHSA-2012:0125-01 2012-02-13 CentOS CESA-2012:0125 2012-02-14 CentOS CESA-2012:0126 2012-02-14 Oracle ELSA-2012-0125 2012-02-14 Oracle ELSA-2012-0126 2012-02-14 Scientific Linux SL-glib-20120214 2012-02-14 Scientific Linux SL-glib-20120214 2012-02-14

Comments (none posted)

ipa: cross-site request forgery

Package(s):	ipa	CVE #(s):	CVE-2011-3636
Created:	December 7, 2011	Updated:	January 11, 2012
Description:	A CSRF vulnerability in ipa can allow an attacker to perform Red Hat identity management configuration changes with the privileges of a logged-in user.
Alerts:	Red Hat RHSA-2011:1533-04 2011-12-06 Scientific Linux SL-ipa-20111206 2011-12-06

Comments (none posted)

kernel: privilege escalation

Package(s):	linux kernel	CVE #(s):	CVE-2011-4330
Created:	December 5, 2011	Updated:	December 7, 2011
Description:	A bounds-checking error in the HFS filesystem can be exploited by a local user to crash the system or gain privileges.
Alerts:	Ubuntu USN-1312-1 2011-12-19 Ubuntu USN-1311-1 2011-12-19 Oracle ELSA-2011-2037 2011-12-15 SUSE SUSE-SU-2011:1319-2 2011-12-14 SUSE SUSE-SU-2011:1319-1 2011-12-13 Ubuntu USN-1304-1 2011-12-13 Ubuntu USN-1303-1 2011-12-13 Ubuntu USN-1302-1 2011-12-13 Ubuntu USN-1301-1 2011-12-13 Ubuntu USN-1300-1 2011-12-13 Ubuntu USN-1299-1 2011-12-13 SUSE SUSE-SA:2011:046 2011-12-13 Ubuntu USN-1293-1 2011-12-08 Ubuntu USN-1292-1 2011-12-08 Ubuntu USN-1291-1 2011-12-08 Ubuntu USN-1286-1 2011-12-03 Ubuntu USN-1322-1 2012-01-09 Red Hat RHSA-2012:0007-01 2012-01-10 CentOS CESA-2012:0007 2012-01-11 Scientific Linux SL-kern-20120112 2012-01-12 Oracle ELSA-2012-0007 2012-01-12 Ubuntu USN-1330-1 2012-01-13 Ubuntu USN-1340-1 2012-01-23 Red Hat RHSA-2012:0358-01 2012-03-06 Oracle ELSA-2012-0150 2012-03-07 SUSE SUSE-SU-2012:0736-1 2012-06-14 openSUSE openSUSE-SU-2012:0799-1 2012-06-28 openSUSE openSUSE-SU-2012:1439-1 2012-11-05

Comments (none posted)

kexec-tools: information disclosure

Package(s):	kexec-tools	CVE #(s):	CVE-2011-3588 CVE-2011-3589 CVE-2011-3590
Created:	December 7, 2011	Updated:	March 8, 2012
Description:	The kexec-tools package contains a number of information disclosure vulnerabilities exploitable by a local user.
Alerts:	Scientific Linux SL-kexe-20111206 2011-12-06 Red Hat RHSA-2011:1532-03 2011-12-06 Red Hat RHSA-2012:0152-03 2012-02-21 Scientific Linux SL-kexe-20120306 2012-03-06 Oracle ELSA-2012-0152 2012-03-07

Comments (none posted)

krb5: denial of service

Package(s):	krb5	CVE #(s):	CVE-2011-1530
Created:	December 7, 2011	Updated:	February 1, 2012
Description:	The kerberos key distribution center can be made to dereference a null pointer by an authenticated attacker, leading to a server crash.
Alerts:	CentOS CESA-2011:1790 2011-12-22 Oracle ELSA-2011-1790 2011-12-17 Fedora FEDORA-2011-16296 2011-11-23 Mandriva MDVSA-2011:184 2011-12-12 Scientific Linux SL-krb5-20111206 2011-12-06 Ubuntu USN-1290-1 2011-12-08 Red Hat RHSA-2011:1790-01 2011-12-06 Gentoo 201201-13 2012-01-23 Fedora FEDORA-2011-16284 2012-01-31

Comments (none posted)

libarchive: arbitrary code execution

Package(s):	libarchive	CVE #(s):	CVE-2011-1777 CVE-2011-1778
Created:	December 1, 2011	Updated:	February 21, 2012
Description:	From the Red Hat advisory: Two heap-based buffer overflow flaws were discovered in libarchive. If a user were tricked into expanding a specially-crafted ISO 9660 CD-ROM image or tar archive with an application using libarchive, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-1777, CVE-2011-1778)
Alerts:	Ubuntu USN-1310-1 2011-12-19 Mandriva MDVSA-2011:191 2011-12-18 Mandriva MDVSA-2011:190 2011-12-18 Scientific Linux SL-liba-20111201 2011-12-01 Oracle ELSA-2011-1507 2011-12-01 Red Hat RHSA-2011:1507-01 2011-12-01 Debian DSA-2413-1 2012-02-20

Comments (none posted)

libxml2: code execution

Package(s):	libxml2	CVE #(s):	CVE-2011-0216
Created:	December 7, 2011	Updated:	September 27, 2012
Description:	The libxml2 library contains an off-by-one error leading to a buffer overflow vulnerability exploitable via a specially-crafted XML file.
Alerts:	Mandriva MDVSA-2011:188 2011-12-15 Scientific Linux SL-libx-20111206 2011-12-06 Red Hat RHSA-2011:1749-03 2011-12-06 Red Hat RHSA-2012:0016-01 2012-01-11 Red Hat RHSA-2012:0017-01 2012-01-11 CentOS CESA-2012:0016 2012-01-11 CentOS CESA-2012:0017 2012-01-11 Oracle ELSA-2012-0016 2012-01-12 Scientific Linux SL-libx-20120111 2012-01-11 Scientific Linux SL-libx-20120112 2012-01-12 Oracle ELSA-2012-0017 2012-01-12 Ubuntu USN-1334-1 2012-01-19 Debian DSA-2394-1 2012-01-26 Oracle ELSA-2012-0324 2012-03-09 Fedora FEDORA-2012-13820 2012-09-26 Fedora FEDORA-2012-13824 2012-09-27 Red Hat RHSA-2013:0217-01 2013-01-31 CentOS CESA-2013:0217 2013-02-01 Oracle ELSA-2013-0217 2013-02-01 Scientific Linux SL-ming-20130201 2013-02-01

Comments (none posted)

mojarra: code injection

Package(s):	mojarra	CVE #(s):	CVE-2011-4358
Created:	December 7, 2011	Updated:	December 7, 2011
Description:	Mojarra (a JavaServer Faces implementation) can be made to execute untrusted values as EL expressions in some configurations.
Alerts:	Debian DSA-2359-1 2011-12-06

Comments (none posted)

nginx: remote code execution

Package(s):	nginx-1.0	CVE #(s):	CVE-2011-4315
Created:	December 5, 2011	Updated:	February 9, 2012
Description:	The DNS resolver built into nginx suffers from a buffer overflow that could enable remote code execution attacks.
Alerts:	Fedora FEDORA-2011-16110 2011-11-19 Fedora FEDORA-2011-16075 2011-11-19 SUSE SUSE-SU-2011:1300-1 2011-12-05 openSUSE openSUSE-SU-2012:0237-1 2012-02-09 Gentoo 201203-22 2012-03-28

Comments (none posted)

psi: input validation failure

Package(s):	psi	CVE #(s):	CVE-2011-3365 CVE-2011-3366
Created:	December 6, 2011	Updated:	December 7, 2011
Description:	From the Red Hat bugzilla: An input validation failure was discovered in KSSL (CVE-2011-3365) and Rekonq (CVE-2011-3366) in KDE SC 4.6.0 up to and including KDE SC 4.7.1, however upstream indicates that ealier versions of KDE SC may also be affected.
Alerts:	Fedora FEDORA-2011-16476 2011-11-27 Fedora FEDORA-2011-16488 2011-11-27

Comments (none posted)

qemu-kvm: privilege escalation

Package(s):	qemu-kvm	CVE #(s):	CVE-2011-4111
Created:	December 7, 2011	Updated:	December 22, 2011
Description:	From the Red Hat advisory: A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID (Chip/Smart Card Interface Devices) USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
Alerts:	CentOS CESA-2011:1777 2011-12-22 CentOS CESA-2011:1801 2011-12-22 Oracle ELSA-2011-1777 2011-12-17 Red Hat RHSA-2011:1801-01 2011-12-08 Red Hat RHSA-2011:1777-01 2011-12-06 Scientific Linux SL-qemu-20111206 2011-12-06

Comments (none posted)

ruby: predictable random numbers

Package(s):	ruby	CVE #(s):	CVE-2011-3009
Created:	December 7, 2011	Updated:	January 31, 2012
Description:	The Ruby interpreter does not reinitialize the random number generator after creating a child process, leading to a situation where two processes may get the same number.
Alerts:	Scientific Linux SL-ruby-20111206 2011-12-06 Red Hat RHSA-2011:1581-03 2011-12-06 Red Hat RHSA-2012:0070-01 2012-01-30 CentOS CESA-2012:0070 2012-01-30 CentOS CESA-2012:0070 2012-01-30 Oracle ELSA-2012-0070 2012-01-31 Oracle ELSA-2012-0070 2012-01-31 Scientific Linux SL-ruby-20120130 2012-01-30 openSUSE openSUSE-SU-2012:0228-1 2012-02-09

Comments (none posted)

ruby-on-rails: multiple vulnerabilities

Package(s):	rubygem-*	CVE #(s):	CVE-2010-3933 CVE-2011-0448 CVE-2011-0449
Created:	December 7, 2011	Updated:	December 7, 2011
Description:	The Ruby on Rails package suffers from vulnerabilities enabling arbitrary modification of records via crafted form parameters (CVE-2010-3933), SQL injection (CVE-2011-0448), and access restriction bypass (CVE-2011-0449).
Alerts:	openSUSE openSUSE-SU-2011:1305-1 2011-12-07

Comments (none posted)

sos: key disclosure

Package(s):	sos	CVE #(s):	CVE-2011-4083
Created:	December 7, 2011	Updated:	January 17, 2013
Description:	From the Red Hat advisory: The sosreport utility incorrectly included Certificate-based Red Hat Network private entitlement keys in the resulting archive of debugging information. An attacker able to access the archive could use the keys to access Red Hat Network content available to the host.
Alerts:	Scientific Linux SL-sos-20111206 2011-12-06 Red Hat RHSA-2011:1536-03 2011-12-06 Red Hat RHSA-2012:0153-03 2012-02-21 Oracle ELSA-2012-0153 2012-03-07 Scientific Linux SL-sos-20120321 2012-03-21 CentOS CESA-2012:0153 2013-01-09

Comments (none posted)

torque: user impersonation

Package(s):	torque	CVE #(s):
Created:	December 5, 2011	Updated:	December 7, 2011
Description:	A user connecting to the torque "pbs_server" is able to impersonate another user in the torque batch system.
Alerts:	Fedora FEDORA-2011-16128 2011-12-04

Comments (none posted)

util-linux-ng: denial of service

Package(s):	util-linux-ng	CVE #(s):	CVE-2011-1675 CVE-2011-1677
Created:	December 7, 2011	Updated:	May 29, 2012
Description:	Vulnerabilities in the util-linux-ng package allow a local user with the ability to mount an unmount filesystems to corrupt the mtab file and leave a stale lock file around, interfering with others' ability to mount filesystems.
Alerts:	Scientific Linux SL-util-20111206 2011-12-06 Red Hat RHSA-2011:1691-03 2011-12-06 Red Hat RHSA-2012:0307-03 2012-02-21 Oracle ELSA-2012-0307 2012-03-07 Scientific Linux SL-util-20120321 2012-03-21 Mandriva MDVSA-2012:083 2012-05-29

Comments (none posted)

virt-v2v: privilege escalation

Package(s):	virt-v2v	CVE #(s):	CVE-2011-1773
Created:	December 7, 2011	Updated:	December 16, 2011
Description:	From the Red Hat advisory: Using virt-v2v to convert a guest that has a password-protected VNC console to a KVM guest removed that password protection from the converted guest: after conversion, a password was not required to access the converted guest's VNC console.
Alerts:	Scientific Linux SL-virt-20111206 2011-12-06 Red Hat RHSA-2011:1615-03 2011-12-06

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>