March 28, 2012
This article was contributed by Nathan Willis
Striking the delicate balance between usability and secure default
options has surfaced as an unexpected issue for the Apache OpenOffice (AOO)
project in the closing days of its 3.4 development cycle. An AOO developer
opened a bug
report on March 18 forecasting trouble with the office suite's new
encryption settings. The problem is that recent AOO builds switched from
Blowfish to AES as the default cipher. Since no previous releases of
OpenOffice or most other ODF-reading applications support AES (LibreOffice
added it as a feature in LO 3.5), encrypted files created with the new builds were unreadable in other programs. Complicating matters is ambiguity about how to interpret the ODF standard, how to expose new encryption options in the interface, and whether or not file encryption is implemented securely to begin with.
The ODF document format supported by AOO, LibreOffice, and other office
suites, allows users to password-encrypt any file (via the "Save with
Password" option). Up until recently, Blowfish was the default choice in
every ODF application. But, as original bug reporter Dennis Hamilton
noted, starting with revision 1293550,
AOO produces AES256 Cipher-block chaining (CBC) encrypted documents by
default — which are then unreadable by LibreOffice 3.3 and 3.4 (prior
to 3.4.5), the last stable release of OpenOffice, and by Lotus Symphony. Exacerbating matters, all three programs report that the encrypted file is malformed, rather than reporting that it uses a different encryption method.
The encryption algorithm used in a compliant ODF file is specified in
the manifest, which is an XML
file stored in the ODF ZIP-archive-based file format. Section
4.8.1 of the OpenDocument 1.2 specification defines only one value as
compliant: Blowfish, in 8-bit cipher feedback (CFB) mode. However, the
specification allows "extended" ODF 1.2 files to support other algorithms,
and mandates a W3C-standardized syntax
for identifying them. Thus, strictly speaking, the other ODF applications are failing to recognize a correctly-formatted ODF 1.2 "extended" file, which could hardly be construed as a bug in AOO.
Defaults, standards, and the weakest link
Several AOO developers observed that AOO was not to
blame for other applications failing to understand the algorithm identifier
in the file manifest and consequently voted that the bug did not qualify as
a blocker to hold up the upcoming 3.4 release. Rob Weir, co-chair of the
ODF 1.2 specification committee, said the problem was a
security-versus-interoperability trade-off, that could be handled by user
education. Users can be told about the interoperability issue and manually
select the Blowfish cipher if desired. Furthermore, Weir argued that
Blowfish needed to be replaced by AES anyway, both because it is a newer
cipher, and because it is a US government recommended standard.
Hamilton disagreed on both points. First, he said,
the AOO builds do not offer the user any way to select the
encryption algorithm: they use AES automatically. Rather than serving as a
"default" (which implies that a setting is available), the encryption
algorithm used is fixed at build time — consequently AOO appears to
produce corrupted ODF files, which will result in "a support
nightmare" if released. Second, using AES encryption instead of
Blowfish may not really
increase security, he added in a follow-up, because ODF provides message digests based on the same start key used to encrypt the file, and because ODF does not properly salt digests. That provides attackers with a much easier target than the encrypted message body, making it irrelevant which encryption cipher is used.
Furthermore, Hamilton argued
that ODF's XML contains extensive "boilerplate" text that can aid attackers
in discovering a password, regardless of the cipher used:
There are gratuitously-included known-plaintext files in every ODF package
produced by the well-known OpenOffice lineage implementations. Some of
these are relatively short and their sizes and compressed values are known
in advance. That makes these files easy to spot in an encrypted ODF
package. That makes them interesting as aids to discovery of the password
(or its digest) as well.
Not everyone agrees with his analysis, but Hamilton has submitted formal proposals for ODF 1.3 to fix the digest problems, and proposes introducing "chaff" into the known-plaintext files to further deflect attack. More immediately, however, he attached a short patch to restore Blowfish as the encryption algorithm in AOO.
Interoperability and user support
A discussion thread on the AOO development list ran in parallel to the one on the bug tracker. However, different facets of the issue cropped up on the list. There, Weir noted that LibreOffice, too, had enabled AES encryption, which should significantly increase the number of users who should be able to decrypt AES-based files, and pointed to the lack of complaints or confusion from users of either office suite.
T.J. Frazier reiterated that the root issue was not that AES was a bad default choice, but that AOO did not present any UI for the user to select an encryption cipher. He also argued that introducing an incompatibility with older releases was a problem in and of itself. "It is *wrong* to break compatibilities as this does, without long lead-time, and opt-in possibilities, unless there exists some drastic need. That has not been shown. Improvement, yes; crucial, no." Finally, he proposed several methods of enabling knowledgeable users to manually select AES, and volunteered to do the UI work.
In response to the compatibility-breaking issue, Weir replied
that he simply did not see that the problem met the project's established
guidelines for a release-blocking
issue.
The encryption has been set to AES since 3.4 Beta, 9 months ago. I have not
seen any user complaints. LO has made the same choice. I have not seen
any user complaints there either. And now we're going to hold up the
release for this? Really?
Hamilton replied
that there had been complaints in the LibreOffice community, and observed
that the LibreOffice project had back-ported
AES support into its 3.4 release series (starting with 3.4.5) in order to
restore compatibility. It should also be noted that the problem is only
for users of the older tools trying to read password-protected files
created with the newer — reading Blowfish-encrypted files is still
supported in the new versions.
Ultimately, however, release manager Jürgen Schmidt had the final say, and he accepted the issue as critical enough to warrant reverting back to Blowfish in the AOO 3.4 release, and favored implementing a user-selectable encryption setting for the 4.0 series. As he added in a subsequent message, "most users don't care about the technical details and they will be simply confused if it won't work any more." Weir concurred with that plan, saying, "users who are smart enough to know they want AES will be smart enough to set that option."
That may be true, but of course introducing user-configurable encryption settings will be a UI challenge of its own. For its part, the LibreOffice team is also planning to institute a UI review for the next release cycle. As Michael Meeks pointed out, the changes affect document signing as well as password-encryption.
Meeks did not elaborate, but considering Hamilton's comment in the bug tracker outlining several different attacks on the encrypted files and digests, there may be no shortage of options. Some of those may require changes to the ODF format to fix completely, but all of them require a carefully-considered interface. After all, the "smart" users may be counted on to get it right more often than not, but making it difficult for the inexpert users to choose poor settings is also important. The more complexity users are presented with, the more of them are likely to simply stick with the defaults.
Comments (20 posted)
Brief items
I'm there in spirit, though. The title of the hearing is "TSA Oversight
Part III: Effective Security or Security Theater?"
--
Bruce
Schneier gets uninvited to a US Congress hearing
ICANN will not be fixed. It cannot be fixed. It is structurally constituted
in a manner that cannot reasonably serve the broad interests of today's
global Internet community and the world community at large.
Year after year we've watched ICANN suddenly shift and sway like the
proverbial bull in the china shop, smashing past promises and
pronouncements in its wake. And now, like an out of control starship that
has lurched beyond a black hole's event horizon, it is being sucked
inexorably toward a dark chaos of greed, a maelstrom of its own creation.
--
Lauren Weinstein
My guess is that they can't. That is, they don't have a cryptanalytic
attack against the AES algorithm that allows them to recover a key from
known or chosen ciphertext with a reasonable time and memory complexity.
I believe that what the "top official" was referring to is attacks that
focus on the implementation and bypass the encryption algorithm:
side-channel attacks, attacks against the key generation systems (either
exploiting bad random number generators or sloppy password creation
habits), attacks that target the endpoints of the communication system and
not the wire, attacks that exploit key leakage, attacks against buggy
implementations of the algorithm, and so on. These attacks are likely to be
much more effective against computer encryption.
--
Bruce
Schneier speculates on whether the NSA can break AES
Comments (none posted)
On his blog, Kees Cook
reports that the Ubuntu kernel for 12.04 has added the
seccomp filters feature that uses the packet filtering machinery (BPF) to restrict access to system calls. He also notes that the feature will be added to the Chrome OS kernel soon. "
One of the questions I’ve been asked by several people while they developed policy for earlier “mode 2″ seccomp implementations was “How do I figure out which syscalls my program is going to need?” To help answer this question, and to show a simple use of seccomp filter, I’ve written up a little tutorial that walks through several steps of building a seccomp filter. It includes a header file (“seccomp-bpf.h“) for implementing the filter, and a collection of other files used to assist in syscall discovery. It should be portable, so it can build even on systems that do not have seccomp available yet.
[...]
Read more in the seccomp filter tutorial."
Comments (41 posted)
New vulnerabilities
asterisk: code execution
| Package(s): | asterisk |
CVE #(s): | CVE-2012-1183
CVE-2012-1184
|
| Created: | March 28, 2012 |
Updated: | May 4, 2012 |
| Description: |
The asterisk telephony system prior to version 1.8.10.1 suffers from a stack overrun in milliwatt_generate() and a buffer overflow vulnerability in ast_parse_digest(). Either could be exploited to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
chromium: multiple vulnerabilities
| Package(s): | chromium |
CVE #(s): | CVE-2011-3049
CVE-2011-3050
CVE-2011-3051
CVE-2011-3052
CVE-2011-3053
CVE-2011-3054
CVE-2011-3055
CVE-2011-3056
CVE-2011-3057
|
| Created: | March 26, 2012 |
Updated: | November 7, 2012 |
| Description: |
From the CVE entries:
Google Chrome before 17.0.963.83 does not properly restrict the extension web request API, which allows remote attackers to cause a denial of service (disrupted system requests) via a crafted extension. (CVE-2011-3049)
Use-after-free vulnerability in the Cascading Style Sheets (CSS) implementation in Google Chrome before 17.0.963.83 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the :first-letter pseudo-element. (CVE-2011-3050)
Use-after-free vulnerability in the Cascading Style Sheets (CSS) implementation in Google Chrome before 17.0.963.83 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the cross-fade function. (CVE-2011-3051)
The WebGL implementation in Google Chrome before 17.0.963.83 does not properly handle CANVAS elements, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. (CVE-2011-3052)
Use-after-free vulnerability in Google Chrome before 17.0.963.83 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to block splitting. (CVE-2011-3053)
The WebUI privilege implementation in Google Chrome before 17.0.963.83 does not properly perform isolation, which allows remote attackers to bypass intended access restrictions via unspecified vectors. (CVE-2011-3054)
The browser native UI in Google Chrome before 17.0.963.83 does not require user confirmation before an unpacked extension installation, which allows user-assisted remote attackers to have an unspecified impact via a crafted extension. (CVE-2011-3055)
Google Chrome before 17.0.963.83 allows remote attackers to bypass the Same Origin Policy via vectors involving a "magic iframe." (CVE-2011-3056)
Google V8, as used in Google Chrome before 17.0.963.83, allows remote attackers to cause a denial of service via vectors that trigger an invalid read operation. (CVE-2011-3057) |
| Alerts: |
|
Comments (none posted)
expat: denial of service
| Package(s): | expat |
CVE #(s): | CVE-2012-0876
CVE-2012-1148
|
| Created: | March 28, 2012 |
Updated: | October 18, 2012 |
| Description: |
The expat utility suffers from a memory leak and a hash table collision flaw; either could be exploited for denial-of-service purposes. |
| Alerts: |
|
Comments (none posted)
expat: denial of service
| Package(s): | expat |
CVE #(s): | CVE-2012-1147
|
| Created: | March 28, 2012 |
Updated: | March 28, 2012 |
| Description: |
Expat suffers from a memory leak which may be exploited in a denial-of-service attack. See this message for (a little) more detail. |
| Alerts: |
|
Comments (none posted)
file: denial of service
| Package(s): | file |
CVE #(s): | CVE-2012-1571
|
| Created: | March 23, 2012 |
Updated: | September 26, 2012 |
| Description: |
From the Mandriva advisory:
Multiple out-of heap-based buffer read flaws and invalid pointer
dereference flaws were found in the way file, utility for determining
of file types processed header section for certain Composite Document
Format (CDF) files. A remote attacker could provide a specially-crafted
CDF file, which once inspected by the file utility of the victim
would lead to file executable crash. |
| Alerts: |
|
Comments (none posted)
freetype: multiple vulnerabilities
| Package(s): | freetype |
CVE #(s): | CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1135
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1143
|
| Created: | March 23, 2012 |
Updated: | April 24, 2012 |
| Description: |
From the Ubuntu advisory:
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed BDF font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash. (CVE-2012-1126)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed BDF font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash. (CVE-2012-1127)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed TrueType font files. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash.
(CVE-2012-1128)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed Type42 font files. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash.
(CVE-2012-1129)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed PCF font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash. (CVE-2012-1130)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed TrueType font files. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash.
(CVE-2012-1131)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed Type1 font files. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash.
(CVE-2012-1132)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed TrueType font files. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash.
(CVE-2012-1135)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed BDF font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash. (CVE-2012-1137)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed TrueType font files. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash.
(CVE-2012-1138)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed BDF font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash. (CVE-2012-1139)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed PostScript font files. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash.
(CVE-2012-1140)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed BDF font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash. (CVE-2012-1141)
Mateusz Jurczyk discovered that FreeType did not correctly handle certain
malformed font files. If a user were tricked into using a specially crafted
font file, a remote attacker could cause FreeType to crash. (CVE-2012-1143)
|
| Alerts: |
|
Comments (none posted)
gnutls: denial of service
| Package(s): | gnutls26 |
CVE #(s): | CVE-2012-1573
|
| Created: | March 26, 2012 |
Updated: | March 28, 2012 |
| Description: |
From the Debian advisory:
Matthew Hall discovered that GNUTLS does not properly handle truncated
GenericBlockCipher structures nested inside TLS records, leading to
crashes in applications using the GNUTLS library. |
| Alerts: |
|
Comments (none posted)
iproute: insecure temp files
| Package(s): | iproute |
CVE #(s): | CVE-2012-1088
|
| Created: | March 26, 2012 |
Updated: | March 28, 2012 |
| Description: |
From the Red Hat bugzilla:
Multiple (by checking for ATM technology support, checking for Xtables
extension support, checking for setns() system call support, and in
dhcp-client-script example script) insecure temporary file use cases were found
in iproute. A local attacker could use this flaw to conduct symbolic link
attacks (modify or remove files via specially-crafted link names). |
| Alerts: |
|
Comments (none posted)
kernel: address-space layout randomization bypass
| Package(s): | kernel |
CVE #(s): | CVE-2012-1568
|
| Created: | March 22, 2012 |
Updated: | May 1, 2012 |
| Description: |
From the Red Hat bugzilla entry:
When running a binary with a lot of shared libraries, predictable base address
is used for one of the loaded libraries.
This flaw could be used to bypass ASLR.
|
| Alerts: |
|
Comments (none posted)
libtasn1-3: denial of service
| Package(s): | libtasn1-3 |
CVE #(s): | CVE-2012-1569
|
| Created: | March 26, 2012 |
Updated: | September 26, 2012 |
| Description: |
From the Debian advisory:
Matthew Hall discovered that many callers of the asn1_get_length_der
function did not check the result against the overall buffer length
before processing it further. This could result in out-of-bounds
memory accesses and application crashes. Applications using GNUTLS
are exposed to this issue. |
| Alerts: |
|
Comments (none posted)
libzip: multiple vulnerabilities
| Package(s): | libzip |
CVE #(s): | CVE-2012-1162
CVE-2012-1163
|
| Created: | March 23, 2012 |
Updated: | March 29, 2012 |
| Description: |
From the Mandriva advisory:
libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files (CVE-2012-1162).
libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks)
(CVE-2012-1163). |
| Alerts: |
|
Comments (none posted)
openarena: denial of service
| Package(s): | openarena |
CVE #(s): | CVE-2010-5077
|
| Created: | March 27, 2012 |
Updated: | April 19, 2012 |
| Description: |
From the Debian advisory:
It has been discovered that spoofed "getstatus" UDP requests are being
sent by attackers to servers for use with games derived from the
Quake 3 engine (such as openarena). These servers respond with a
packet flood to the victim whose IP address was impersonated by the
attackers, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
openssl: multiple vulnerabilities
| Package(s): | openssl |
CVE #(s): | CVE-2012-0884
CVE-2012-1165
|
| Created: | March 26, 2012 |
Updated: | April 23, 2012 |
| Description: |
From the openSUSE advisory:
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack (CVE-2012-0884).
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted S/MIME message, a different vulnerability than CVE-2006-7250
(CVE-2012-1165). |
| Alerts: |
|
Comments (none posted)
openssl: denial of service
| Package(s): | openssl |
CVE #(s): | CVE-2006-7250
|
| Created: | March 26, 2012 |
Updated: | March 28, 2012 |
| Description: |
From the CVE entry:
The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message. |
| Alerts: |
|
Comments (none posted)
osc: code execution
| Package(s): | osc |
CVE #(s): | CVE-2012-1095
|
| Created: | March 22, 2012 |
Updated: | March 28, 2012 |
| Description: |
From the Red Hat bugzilla entry:
A security flaw was found in the way osc, the Python language based command
line client for the openSUSE build service, displayed build logs and build
status for particular build. A rogue repository server could use this flaw to
modify window's title, or possibly execute arbitrary commands or overwrite
files via a specially-crafted build log or build status output containing an
escape sequence for a terminal emulator. |
| Alerts: |
|
Comments (none posted)
php5: multiple vulnerabilities
| Package(s): | PHP5 |
CVE #(s): | CVE-2012-0781
CVE-2012-0789
CVE-2012-0807
|
| Created: | March 26, 2012 |
Updated: | July 2, 2012 |
| Description: |
From the CVE entries:
The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153. (CVE-2012-0781)
Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache. (CVE-2012-0789)
Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header. (CVE-2012-0807) |
| Alerts: |
|
Comments (none posted)
raptor: information disclosure
| Package(s): | raptor |
CVE #(s): | CVE-2012-0037
|
| Created: | March 22, 2012 |
Updated: | July 31, 2012 |
| Description: |
From the Debian advisory:
It was discovered that Raptor, a RDF parser and serializer library,
allows file inclusion through XML entities, resulting in information
disclosure.
|
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | |
| Created: | March 28, 2012 |
Updated: | March 28, 2012 |
| Description: |
Wireshark prior to version 1.6.6 suffers from vulnerabilities in the ANSI A, 802.11, and MP2T dissectors, along with one in the pcap and pcap-ng file parsers. At least some of them look exploitable to run arbitrary code. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
