LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

GNUnet adds VPN, direct wireless peering, and more

December 21, 2011

This article was contributed by Nathan Willis

The GNU project released version 0.9.0 of its GNUnet peer-to-peer (P2P) networking framework in late November. GNUnet allows users to create secure, decentralized P2P networks, akin to the technique used by Gnutella, in which every node is a peer with no central server coordinating the network. But GNUnet puts its emphasis on secure communication links and anonymity: when used for file-sharing, the files a user uploads to the network cannot be traced to their origin, and no one can monitor download activity. Version 0.9.0 breaks network compatibility with previous releases, but it also adds several architectural improvements, and is the first release to officially support an application other than file sharing.

The birds-eye view of GNUnet makes it sound like yet another Napster clone, because the most easily understood use of P2P networks is sharing files — which many assume focuses on copyright-infringing media files. But GNUnet is more general; the project is interested in providing a secure network for people combating censorship or simply wishing to secure their own network traffic against prying eyes. Although sharing files is one use of a decentralized network, it is not the end goal.

Privacy and anonymity are baked into the framework. Peers are identified solely by the SHA-512 hash of a public key; there is no mechanism to further identify anyone on the network — no usernames, or network-wide view of who is connected. Each peer keeps track of its connections to its neighbors, but the connection data is transient and regularly expires. Furthermore, when neighbors exchange messages, they use a mutually-authenticated, encrypted link (a separate link for each peer-to-peer pair). As long as a peer is being a good citizen and is helping to route traffic for the rest of the network, to any eavesdroppers the traffic that originates from the peer is hard to distinguish from traffic being routed between other hosts.

In GNUnet's file-sharing application module, files uploaded by users are encoded using an encryption scheme called Encoding for Censorship-Resistant Sharing (ECRS). ECRS is independent from the link-level encryption, and splits file contents up into blocks that are distributed between the peers. This serves two purposes: fault-tolerance, and enabling faster transfers with Bittorrent-like multi-downloads. Whenever a file is uploaded, special "keyword" blocks associate its contents with potential search terms (which GNUnet refers to as "namespaces"). A distributed hash table keeps track of the namespaces and the files associated with them, so that users can search for files. On the down side, this setup means that all searches are probabilistic — there is no guarantee that a search query will turn up every chunk of the file you search for when you search for it.

On the other hand, the GNUnet client software does not need to connect to the global network of all GNUnet users; it can also run in "Friend-to-Friend" mode to create a private network. In this mode, files uploaded are distributed and replicated in chunks only among the "friends," so the participants can speed up file transfers and enjoy a degree of fault-tolerance, all with a far better probability of finding the files they need available than they might in the global, distributed GNUnet network.

Meet 0.9.0

You can download GNUnet 0.9.0 from the GNU FTP site. There are separate source packages for the command-line GNUnet core and for the GTK+ GUI. As is generally the case with official GNU projects, the software is tested on Linux-based systems as well as FreeBSD, Mac OS X, and Windows — although one of the new features appears to work only on Linux. The configuration documentation is admirably thorough and is already update-to-date for 0.9.0. GNUnet depends on several other GNU projects, and this release requires some recent versions of some dependencies, so a quick check of the list is recommended. There are generic installation instructions as well, although the Autotools-based process is nothing out of the ordinary.

The file-sharing module found in earlier releases is still provided, but version 0.9.0 is the first to provide another module: a virtual private network (VPN). The VPN module creates a virtual network interface on the client (named vpn-gnunet on Linux boxes), which the user can then use to route IP traffic over GNUnet. This traffic is encrypted between every pair of nodes and is anonymous, much like a Tor tunnel, and like Tor it requires that at least some peers act as "exit" nodes.

GNUnet 0.9.0 introduces protocol changes that make it incompatible with 0.8.0 and earlier releases; in the release notes the project admits that this is inconvenient, but said that "productive development and readable code were considered more important." The protocol changes include a simplified peer-discovery message format (known as a "HELLO") and moving several of the required services (such as identity management and peer discovery) from separate plug-ins into a "core" module.

A bigger architectural change in this release is a move to a multi-process model, with separate processes running data storage, peer messaging, and other services, along with a lightweight supervisor process (called the automatic restart manager or "ARM") overseeing all of the others. This removes the need to juggle mutexes and locks between a potentially large number of threads — which made earlier releases difficult to maintain — but it also opens the door to contributors writing GNUnet applications in languages other than C and C++. Last but by no means least, it should also make testing and debugging simpler.

The new VPN system can actually do more than route basic IP traffic through GNUnet. It includes a DNS resolver configured to route the .gnunet pseudo-TLD to GNUnet, so it is possible to run GNUnet-only services by binding them to the GNUnet VPN virtual interface. The VPN module can also translate between IPv4 and IPv6 traffic, which makes it possible to use GNUnet to access IPv6 sites or applications from IPv4-only computers, and vice-versa. The project has a page of screencasts showcasing this feature; they use wget to fetch various sites over the VPN connection using several combinations of IPv4 and IPv6 networking.

GNUnet's closest competitor in terms of features is probably Freenet, which also provides a decentralized, anonymous P2P network with encrypted traffic and storage. Like GNUnet, Freenet can function as a transport layer for applications beyond file-sharing, and already has several example applications in the wild. GNUnet points out a few differences between the frameworks on its site, the most notable of which is that GNUnet is capable of using any number of transport protocols. The list includes familiar application- and transport-layer options like TCP, UDP, HTTP, and HTTPS, but also the link-layer itself — starting with 0.9.0, GNUnet peers can talk to each other directly with 802.11 wireless LAN hardware, without going through an access point.

The direct-over-WLAN code requires Linux (at least for the moment), and a supported WiFi card. It uses packet injection to exchange messages with other GNUnet WLAN peers, which requires a helper binary running with root privileges, but the technique allows the machine to remain connected to an access point at the same time. Currently the data rate is limited to around 1Mbps.

0.9.0 also improves GNUnet's peer discovery in some interesting ways. Users can bootstrap their connection to the wider GNUnet world by loading a list of hosts, but, starting with this release, GNUnet peers can also discover each other on the LAN with IPv4 broadcast messages and IPv6 multicast. Peers can also automatically traverse NAT using a variety of methods (including using Universal Plug and Play (UPnP) and ICMP hole punching).

Finally, the project has made an effort to make this release more user-friendly to set up. As the cornucopia of protocols suggests, GNUnet is known for its flexibility, but that is not always simple to navigate. In addition to the connectivity settings, GNUnet can use MySQL, PostgreSQL, or SQLite for storage (both the long-term storage the user contributes to the distributed storage pool, and for the temporary data GNUnet keeps track of during a running session). The setup tool now automatically tests the network and database settings selected by the user and alerts if they do not work.

Applications and all that

On the surface, GNUnet's new functionality makes it more and more like Tor — namely through the availability of separate, anonymous in-network services. Practically speaking, GNUnet still lags behind both Tor and Freenet in terms of what is actually offered to end users; the other networks already support more applications. But GNUnet is making progress; in addition to the VPN code that debuted in 0.9.0, the developers have recently revived the dormant P2P chat application.

At the technical level, GNUnet's main advantage over these other networks is the flexibility it offers in transport protocols — in the past, there were even more options, including a module to route traffic over SMTP (on the grounds that SMTP is rarely blocked by firewalls). Hopefully as the number of applications increases, we will see more and more uses for this flexible transport framework. Routing around censorship is one of the most important uses of this class of project, and the less flexible options — like Tor — are already beginning to be blocked in the wild.

Comments (3 posted)

Brief items

Security quotes of the week

Biometrics will finally replace the password and thus redefine the word "hack." Jokes aside, IBM believes multifactor biometrics will become pervasive. "Biometric data-facial definitions, retinal scans, and voice files-will be composited through software to build your DNA-unique online password."

[...]

"In five years, unsolicited advertisements may feel so personalized and relevant it may seem that spam is dead. At the same time, spam filters will be so precise you'll never be bothered by unwanted sales pitches again"

-- IBM predicts the future

Before we fully release Whisper Systems' code to the public in the coming months, we need to make sure it meets legal requirements and is consumable by the open source community. The plan is to open source the code in an iterative fashion, starting today with TextSecure, which provides support for encrypted texts on Android devices. We hope individuals will continue to find it useful and build upon it. If you have any questions or suggestions, please use the Whisper Systems mailing list.
-- Twitter announces its plans for the newly acquired Whisper Systems' code

[Konrad] Fellmann isn't surprised, based on his experience with retailers. Weak passwords, such as "password," are one of the most common things he discovers during POS [point-of-sale] penetration testing, he said. "Some people, you tell them what's required, and they'd rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place." But, he said, "these people weren't thinking about point of sale security—they were just thinking about making a sandwich."
-- ars technica reports on attacks against Subway customers' credit cards

Comments (1 posted)

Twitter releases TextSecure

Whisper Systems, just acquired by Twitter, has announced that it has released TextSecure - an encrypted messaging client for Android - under GPLv3; the source is available on Github. "We've always been interested in the ability for individuals and organizations to communicate freely and securely. In the year and a half since Whisper Systems launched TextSecure, we've received an enormous amount of thanks, feedback, and encouraging stories from users who have employed TextSecure towards those ends. We hope that as an open source project, TextSecure will be able to reach even more people, with an even larger number of contributors working to make it a great product."

Comments (16 posted)

New vulnerabilities

abrt: information disclosure

Package(s):abrt CVE #(s):CVE-2011-4088
Created:December 19, 2011 Updated:July 10, 2012
Description: From the Red Hat bugzilla:

Jan Iven reported that abrt could possibly leak certain non-public information when reporting on crashes. If an application included a user name, password, or other confidential information in the crash output, abrt would send that information along with the other information it collects about the crash, to bugzilla.

While the real problem is the application including this information in the crash output, abrt should not be submitting this information or should warn the user that it may be submitting potentially sensitive information and allow the user to scrub that information before it is sent.

Alerts:
Fedora FEDORA-2011-16990 2011-12-11
Fedora FEDORA-2011-16990 2011-12-11
Red Hat RHSA-2012:0841-04 2012-06-20
Scientific Linux SL-abrt-20120709 2012-07-09
CentOS CESA-2012:0841 2012-07-10

Comments (none posted)

asterisk: multiple vulnerabilities

Package(s):asterisk CVE #(s):CVE-2011-4597 CVE-2011-4598
Created:December 19, 2011 Updated:December 21, 2011
Description: From the Debian advisory:

CVE-2011-4597: Ben Williams discovered that it was possible to enumerate SIP user names in some configurations.

CVE-2011-4598: Kristijan Vrban discovered that Asterisk can be crashed with malformed SIP packets if the "automon" feature is enabled.

Alerts:
Debian DSA-2367-1 2011-12-19
Fedora FEDORA-2012-4259 2012-03-31

Comments (none posted)

bzip2: insecure tmp file creation

Package(s):bzip2 CVE #(s):CVE-2011-4089
Created:December 15, 2011 Updated:December 21, 2011
Description:

From the Ubuntu advisory:

vladz discovered that executables compressed by bzexe insecurely create temporary files when they are ran. A local attacker could exploit this issue to execute arbitrary code as the user running a compressed executable.

Alerts:
Ubuntu USN-1308-1 2011-12-14

Comments (none posted)

dtc: multiple vulnerabilities

Package(s):dtc CVE #(s):CVE-2011-3195 CVE-2011-3196 CVE-2011-3197 CVE-2011-3198 CVE-2011-3199
Created:December 19, 2011 Updated:December 21, 2011
Description: From the Debian advisory:

Ansgar Burchardt, Mike O'Connor and Philipp Kern discovered multiple vulnerabilities in DTC, a web control panel for admin and accounting hosting services:

CVE-2011-3195: A possible shell insertion has been found in the mailing list handling.

CVE-2011-3196: Unix rights for the apache2.conf were set incorrectly (world readable).

CVE-2011-3197: Incorrect input sanitising for the $_SERVER["addrlink"] parameter could lead to SQL insertion.

CVE-2011-3198: DTC was using the -b option of htpasswd, possibly revealing password in clear text using ps or reading /proc.

CVE-2011-3199: A possible HTML/javascript insertion vulnerability has been found in the DNS & MX section of the user panel.

Alerts:
Debian DSA-2365-1 2011-12-18

Comments (none posted)

ejabberd: denial of service

Package(s):ejabberd CVE #(s):CVE-2011-4320
Created:December 19, 2011 Updated:December 21, 2011
Description: From the Red Hat bugzilla:

A denial of service flaw was found in the way PubSub extension of the ejabberd, a distributed, fault-tolerant Jabber/XMPP server, performed processing of certain, malformed <publish/> stanzas. A remote attacker, authenticated Jabber user, could send a specially-crafted request to Jabber server, leading to the jabberd daemon to enter an infinite loop and consume excessive amount of CPU, while processing the stanza.

Alerts:
Fedora FEDORA-2011-16282 2011-11-23
Fedora FEDORA-2011-16281 2011-11-23
Gentoo 201206-10 2012-06-21

Comments (none posted)

libxml2: denial of service

Package(s):libxml2 CVE #(s):CVE-2011-3905
Created:December 15, 2011 Updated:September 26, 2012
Description:

From the Mandriva advisory:

libxml2 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2011-3905).

Alerts:
Mandriva MDVSA-2011:188 2011-12-15
Red Hat RHSA-2012:0018-01 2012-01-11
Red Hat RHSA-2012:0016-01 2012-01-11
Red Hat RHSA-2012:0017-01 2012-01-11
CentOS CESA-2012:0016 2012-01-11
CentOS CESA-2012:0017 2012-01-11
CentOS CESA-2012:0018 2012-01-11
Oracle ELSA-2012-0016 2012-01-12
Oracle ELSA-2012-0018 2012-01-12
Scientific Linux SL-libx-20120111 2012-01-11
Scientific Linux SL-libx-20120112 2012-01-12
Scientific Linux SL-libx-20120111 2012-01-11
Oracle ELSA-2012-0017 2012-01-12
Ubuntu USN-1334-1 2012-01-19
Debian DSA-2394-1 2012-01-26
Oracle ELSA-2012-0324 2012-03-09
Oracle ELSA-2012-1288 2012-09-18
Fedora FEDORA-2012-13820 2012-09-26
Fedora FEDORA-2012-13824 2012-09-27
Red Hat RHSA-2013:0217-01 2013-01-31
CentOS CESA-2013:0217 2013-02-01
Oracle ELSA-2013-0217 2013-02-01
Scientific Linux SL-ming-20130201 2013-02-01

Comments (none posted)

lighttpd: denial of service and MITM vulnerabilities

Package(s):lighttpd CVE #(s):CVE-2011-4362 CVE-2011-3389
Created:December 21, 2011 Updated:September 10, 2012
Description: A signedness issue in the lighttpd base64 decoding routine can lead to an out-of-bounds read and a denial-of-service opportunity (CVE-2011-4362). Lighttpd can also be vulnerable to the SSL "BEAST" attack in certain configurations, enabling a possible man-in-the-middle attack (CVE-2011-3389).
Alerts:
Fedora FEDORA-2011-17400 2011-12-23
Fedora FEDORA-2011-17400 2011-12-23
Debian DSA-2368-1 2011-12-20
Fedora FEDORA-2011-17400 2011-12-23
Fedora FEDORA-2011-17400 2011-12-23
Fedora FEDORA-2011-17400 2011-12-23
openSUSE openSUSE-SU-2012:0030-1 2012-01-05
Debian DSA-2398-1 2012-01-30
openSUSE openSUSE-SU-2012:0240-1 2012-02-09
Gentoo 201203-02 2012-03-05
SUSE SUSE-SU-2012:0114-2 2012-03-06
Debian DSA-2398-2 2012-03-31
Mandriva MDVSA-2012:058 2012-04-13
Red Hat RHSA-2012:0508-01 2012-04-23
Fedora FEDORA-2012-9040 2012-06-26
Fedora FEDORA-2012-9078 2012-06-26
Mageia MGASA-2012-0259 2012-09-07
Gentoo 201301-01 2013-01-07

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2011-1587 CVE-2011-4360 CVE-2011-4361
Created:December 19, 2011 Updated:December 21, 2011
Description: From the Debian advisory:

CVE-2011-1587: Masato Kinugawa discovered a cross-site scripting (XSS) issue, which affects Internet Explorer clients only, and only version 6 and earlier. Web server configuration changes are required to fix this issue. Upgrading MediaWiki will only be sufficient for people who use Apache with AllowOverride enabled.

CVE-2011-4360: Alexandre Emsenhuber discovered an issue where page titles on private wikis could be exposed bypassing different page ids to index.php. In the case of the user not having correct permissions, they will now be redirected to Special:BadTitle.

CVE-2011-4361: Tim Starling discovered that action=ajax requests were dispatched to the relevant function without any read permission checks being done. This could have led to data leakage on private wikis.

Alerts:
Debian DSA-2366-1 2011-12-18

Comments (none posted)

namazu: cross-site scripting

Package(s):namazu CVE #(s):CVE-2011-4345
Created:December 15, 2011 Updated:December 21, 2011
Description:

From the openSUSE advisory:

namazu: XSS flaw by processing HTTP cookies (CVE-2011-4345)

Alerts:
openSUSE openSUSE-SU-2011:1327-1 2011-12-15

Comments (none posted)

perl-PAR: insecure temporary file handling

Package(s):perl-PAR perl-PAR-Packer CVE #(s):CVE-2011-4114
Created:December 21, 2011 Updated:December 21, 2011
Description: From the Red Hat bugzilla entry: It was reported that PAR::Packer's par_mktmpdir() function would create /tmp/par-[username] directories insecurely, which could allow a local attacker to make changes to the cache directory and possibly the PAR-packged program. PAR::Packer does not verify that the user owns the directory, nor does it create it with secure permissions.
Alerts:
Fedora FEDORA-2011-16856 2011-12-10
Fedora FEDORA-2011-16859 2011-12-10
Fedora FEDORA-2011-16856 2011-12-10
Fedora FEDORA-2011-16859 2011-12-10

Comments (none posted)

phpMyAdmin: cross-site scripting

Package(s):phpMyAdmin CVE #(s):CVE-2011-4634
Created:December 19, 2011 Updated:January 2, 2012
Description: From the Red Hat advisory:

Using crafted database names, it was possible to produce XSS in the Database Synchronize and Database rename panels. Using an invalid and crafted SQL query, it was possible to produce XSS when editing a query on a table overview panel or when using the view creation dialog. Using a crafted column type, it was possible to produce XSS in the table search and create index dialogs.

Only phpMyAdmin 3.4.x is affected by this vulnerability.

Alerts:
Fedora FEDORA-2011-16786 2011-12-04
Fedora FEDORA-2011-16768 2011-12-04
Mandriva MDVSA-2011:198 2011-12-31
Gentoo 201201-01 2012-01-04

Comments (none posted)

pidgin: multiple vulnerabilities

Package(s):pidgin CVE #(s):CVE-2011-4602 CVE-2011-4603
Created:December 15, 2011 Updated:January 9, 2012
Description:

From the Red Hat advisory:

An input sanitization flaw was found in the way the Pidgin SILC (Secure Internet Live Conferencing) protocol plug-in escaped certain UTF-8 characters in channel messages. A remote attacker could use this flaw to crash Pidgin via a specially-crafted SILC message. (CVE-2011-4603)

Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially-crafted Jingle multimedia message. (CVE-2011-4602)

Alerts:
CentOS CESA-2011:1821 2011-12-22
Oracle ELSA-2011-1821 2011-12-17
Scientific Linux SL-pidg-20111214 2011-12-14
Scientific Linux SL-pidg-20111214 2011-12-14
Oracle ELSA-2011-1820 2011-12-14
CentOS CESA-2011:1820 2011-12-14
CentOS CESA-2011:1820 2011-12-14
Red Hat RHSA-2011:1821-01 2011-12-14
Red Hat RHSA-2011:1820-01 2011-12-14
Fedora FEDORA-2011-17558 2011-12-30
Fedora FEDORA-2011-17546 2011-12-30
openSUSE openSUSE-SU-2012:0066-1 2012-01-09
Ubuntu USN-1500-1 2012-07-09

Comments (none posted)

susestudio, kiwi: multiple vulnerabilities

Package(s):SUSE Studio Onsite 1.2 and kiwi CVE #(s):CVE-2011-3180 CVE-2011-4192 CVE-2011-4193 CVE-2011-4195
Created:December 15, 2011 Updated:December 21, 2011
Description:

From the SUSE advisory:

  • CVE-2011-3180: The path of overlay files was not escaped which allowed shell meta character injection via the chown(1) command-line. (kiwi)
  • CVE-2011-4195: The image name was not escaped properly and can be used in conjunction with other applications to execute arbitrary shell commands. (kiwi)
  • CVE-2011-4193: XSS vulnerability in "overlay files" tab can be used to execute arbitrary JavaScript code while cloning an appliance from an untrusted source.
  • CVE-2011-4192: Arbitrary shell command injection in conjunction with Studio by using double quotes in kiwi_oemtitle of .profile. (kiwi)
Alerts:
SUSE SUSE-SU-2011:1324-1 2011-12-15

Comments (none posted)

tor: arbitrary code execution

Package(s):tor CVE #(s):CVE-2011-2778
Created:December 16, 2011 Updated:January 11, 2012
Description: From the Debian advisory:

It was discovered that Tor, an online privacy tool, incorrectly computes buffer sizes in certain cases involving SOCKS connections. Malicious parties could use this to cause a heap-based buffer overflow, potentially allowing execution of arbitrary code.

In Tor's default configuration this issue can only be triggered by clients that can connect to Tor's socks port, which listens only on localhost by default.

In non-default configurations where Tor's SocksPort listens not only on localhost or where Tor was configured to use another socks server for all of its outgoing connections, Tor is vulnerable to a larger set of malicious parties.

Alerts:
Debian DSA-2363-1 2011-12-16
Fedora FEDORA-2011-17248 2012-01-10
Gentoo 201201-12 2012-01-23

Comments (none posted)

xorg: restriction bypass

Package(s):xorg CVE #(s):CVE-2011-4613
Created:December 19, 2011 Updated:January 26, 2012
Description: From the Debian advisory:

The Debian X wrapper enforces that the X server can only be started from a console. "vladz" discovered that this wrapper could be bypassed.

Alerts:
Debian DSA-2364-1 2011-12-18
Ubuntu USN-1349-1 2012-01-26

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds