By Jake Edge
June 13, 2012
For all their faults, passwords are the dominant means of authentication
used by computers and applications today. That makes it a little
disconcerting to see reports of various longstanding bugs in password
handling recently. Obviously it's good that they are being fixed, but
it does make one wonder about how much testing we are doing of this
critical link in authentication.
Most of the recent password problems (e.g. the multi-package Crypt-DES vulnerability) don't rise to the
level of the MySQL/MariaDB flaw
reported on June 9, however. Due to an incorrect cast of the return value from
memcmp(), the wrong password will be accepted for an existing
account with a probability of 1/256. That means that with a fairly small
number of
tries, an attacker can gain access to a MySQL database server if
they know a valid account name (and "root" almost always exists).
While the problem is serious, it is not as bad as it might at first
appear. First, it only affects MySQL and MariaDB packages that have been
built in a
certain way, specifically with GCC using the SSE (Streaming
SIMD Extensions) optimization. In that case, memcmp() can
return values outside the range of a signed character (-128 to 127) and the
MySQL code will sometimes treat that as a password match—even if it isn't.
The return value from memcmp() is cast to a char, so if the value
has a low-order zero byte (which happens 1/256
of the time), it is seen as a match. While it is the SSE optimization that
shows
the flaw, assuming that memcmp() will always return values in that
range is clearly a bug.
Based on the report and an analysis
by HD Moore, it would seem that it is only some Linux distributions
that are affected. The official builds from the projects are not
vulnerable, and only certain (mostly 64-bit) distributions are vulnerable
(Ubuntu, openSUSE, Debian unstable, Fedora, and Arch Linux, according to
Moore).
Any affected MySQL server is locally exploitable, but the server must be
listening on an external interface for it to be remotely exploitable.
Moore did a survey of exposed servers to try to determine the impact of the
problem. Without actually trying to log in, it is difficult to get a full
accounting, but it is clear that there are at least tens of thousands of
affected systems out there listening on the internet.
Sergei Golubchik discovered the bug in MariaDB on
April 4 and reported
it to MySQL on April 6. It was
fixed
in MariaDB on April 4, and MySQL followed
suit right after the report.
Oracle released
a MySQL update as part of its April critical patch update, but makes no
mention of the problem (it does list six other CVEs addressed), so either
it was silently fixed or is not present there. The release
notes for MySQL 5.5.24 and 5.1.63
do mention a security fix for bug 64884, but the
bug was presumably
still private at that point. MariaDB released several versions on April 6
with the fix as shown in its bug report.
Given that the code was fixed in various public repositories and released
much earlier, it is unclear why the details were withheld until recently.
Also,
it would
seem that the Linux distributions—those most affected by the
bug—did not release updates in the interim. As of
this writing, only
Ubuntu has released a security update for
the problem. That's a little
puzzling as Red Hat was clearly aware of the problem and requested a CVE on
April 20, though RHEL is believed to be unaffected. Fedora and other
distribution updates seem like
they should be coming soon.
While the PostgreSQL/PHP/BSD Crypt-DES flaw only affected users who chose
to use a particular authentication scheme, this MySQL flaw is more
wide-ranging. In both cases, though, some amount of password fuzz testing
would have spotted the problems in short order. It would seem that kind of
testing isn't being done with any frequency in some of our communities,
which could
lead to rather serious bugs that aren't detected for long periods of
time.
One guesses that "everyone" thinks the password handling code has been
shaken out since it is such an important part of the authentication path,
but these bugs show that isn't always the case. This problem has existed
in MySQL going back to at least 5.1 (which was released in beta in 2005)
and the Crypt-DES flaw goes back further than that. It is certainly not
just database systems that are affected by these kinds of flaws, one hopes
that other applications and systems that use passwords are either already
fuzz testing or will be doing so soon.
Comments (10 posted)
Brief items
If the UN/ITU do for the Internet what the UN has done for world peace
and prosperity, we might as well go back to tin cans and string.
--
Lauren Weinstein
Teach yourself and your students to cheat. We’ve always been taught to
color inside the lines, stick to the rules, and never, ever, cheat. In
seeking cyber security, we must drop that mindset. It is difficult to
defeat a creative and determined adversary who must find only a single flaw
among myriad defensive measures to be successful. We must not tie our
hands, and our intellects, at the same time. If we truly wish to create the
best possible information security professionals, being able to think like
an adversary is an essential skill. Cheating exercises provide long term
remembrance, teach students how to effectively evaluate a system, and
motivate them to think imaginatively. Cheating will challenge students’
assumptions about security and the trust models they envision. Some will
find the process uncomfortable. That is OK and by design.
--
Gregory Conti and James Caroland [PDF] in
Embracing
the Kobayashi Maru: Why You Should Teach Your Students to Cheat
As much as I love revelation, it is unacceptable to be using in its current
form. Anyone using or distributing it should consider it as effectively
compromised until it is fixed.
--
Kieran Clancy on the Revelation password manager
Comments (6 posted)
Over at Technology Review, Cory Doctorow argues that browser-makers can
reclaim user privacy by snuffing out cookie-based tracking. When advertisers say the idea can't work, he says, consider that the same tactic successfully stamped out pop-ups. "
When Mozilla's Firefox turned on pop-up blocking by default, it began to be wildly successful. The other browser vendors had no choice but to follow suit. Today, pop-ups are all but gone."
Comments (77 posted)
New vulnerabilities
asterisk: denial of service
| Package(s): | asterisk |
CVE #(s): | CVE-2012-2947
|
| Created: | June 11, 2012 |
Updated: | June 18, 2012 |
| Description: |
From the CVE entry:
chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1, when a certain mohinterpret setting is enabled, allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold. |
| Alerts: |
|
Comments (none posted)
asterisk: denial of service
| Package(s): | asterisk |
CVE #(s): | CVE-2012-2948
|
| Created: | June 13, 2012 |
Updated: | June 13, 2012 |
| Description: |
From the CVE entry:
chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. |
| Alerts: |
|
Comments (none posted)
flash-player: multiple vulnerabilities
Comments (none posted)
FlightGear: multiple vulnerabilities
| Package(s): | FlightGear |
CVE #(s): | CVE-2012-2090
CVE-2012-2091
|
| Created: | June 11, 2012 |
Updated: | August 3, 2012 |
| Description: |
From the Red Hat bugzilla: [1], [2]:
[1] Multiple format string flaws were reported
in the way Flight Gear, the flight simulator, and SimGear, a simulation library components performed retrieval of various data chunk values from XML aircraft (FlightGear) or scene graph (SimGear) model data files. A remote attacker could provide a specially-crafted XML model file, which once opened by a local, unsuspecting user in FlightGear / in an application linked against SimGear, would lead to that particular executable crash.
[2] A potential out-of stack-based buffer bounds write flaw was reported
in the way Flight Gear, the flight simulator, retrieved rotor name for certain rotor models. A remote attacker could provide a specially-crafted rotor model XML data file, which once opened by a local, unsuspecting user in FlightGear would lead to 'fgfs' executable crash. |
| Alerts: |
|
Comments (none posted)
groff: multiple vulnerabilities
| Package(s): | groff |
CVE #(s): | CVE-2009-5080
CVE-2009-5081
|
| Created: | June 8, 2012 |
Updated: | June 13, 2012 |
| Description: |
From the Fedora advisory:
older security fixes:
- CVE-2009-5080: improper handling of failed attempts to create temporary directories in eqn2graph/pic2graph/grap2graph
- CVE-2009-5081: roff2.pl and groffer.pl use easy-to-guess temporary file names
|
| Alerts: |
|
Comments (none posted)
hostapd: insecure default permissions
| Package(s): | hostapd |
CVE #(s): | CVE-2012-2389
|
| Created: | June 8, 2012 |
Updated: | June 19, 2012 |
| Description: |
From the Fedora advisory:
Tighten-up default permissions for hostapd.conf (CVE-2012-2389)
References:
[ 1 ] Bug #826109 - CVE-2012-2389 hostapd: insecure default permissions on /etc/hostapd/hostapd.conf [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=826109
|
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk |
CVE #(s): | CVE-2012-1711
CVE-2012-1713
CVE-2012-1716
CVE-2012-1717
CVE-2012-1718
CVE-2012-1719
CVE-2012-1723
CVE-2012-1724
CVE-2012-1725
|
| Created: | June 13, 2012 |
Updated: | September 28, 2012 |
| Description: |
From the Red Hat advisory:
Multiple flaws were discovered in the CORBA (Common Object Request Broker
Architecture) implementation in Java. A malicious Java application or
applet could use these flaws to bypass Java sandbox restrictions or modify
immutable object data. (CVE-2012-1711, CVE-2012-1719)
It was discovered that the SynthLookAndFeel class from Swing did not
properly prevent access to certain UI elements from outside the current
application context. A malicious Java application or applet could use this
flaw to crash the Java Virtual Machine, or bypass Java sandbox
restrictions. (CVE-2012-1716)
Multiple flaws were discovered in the font manager's layout lookup
implementation. A specially-crafted font file could cause the Java Virtual
Machine to crash or, possibly, execute arbitrary code with the privileges
of the user running the virtual machine. (CVE-2012-1713)
Multiple flaws were found in the way the Java HotSpot Virtual Machine
verified the bytecode of the class file to be executed. A specially-crafted
Java application or applet could use these flaws to crash the Java Virtual
Machine, or bypass Java sandbox restrictions. (CVE-2012-1723,
CVE-2012-1725)
It was discovered that the Java XML parser did not properly handle certain
XML documents. An attacker able to make a Java application parse a
specially-crafted XML file could use this flaw to make the XML parser enter
an infinite loop. (CVE-2012-1724)
It was discovered that the Java security classes did not properly handle
Certificate Revocation Lists (CRL). CRL containing entries with duplicate
certificate serial numbers could have been ignored. (CVE-2012-1718)
It was discovered that various classes of the Java Runtime library could
create temporary files with insecure permissions. A local attacker could
use this flaw to gain access to the content of such temporary files.
(CVE-2012-1717) |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2012-2390
CVE-2012-2372
|
| Created: | June 7, 2012 |
Updated: | September 11, 2012 |
| Description: |
From the Fedora advisory:
The 3.4 kernel contains a large number of bug fixes
* Wed May 30 2012 Josh Boyer
- CVE-2012-2390 huge pages: memory leak on mmap failure (rhbz 824352 824345)
* Thu May 24 2012 Josh Boyer
- CVE-2012-2372 mm: 32bit PAE pmd walk vs populate SMP race (rhbz 822821 822825)
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2012-0217
|
| Created: | June 12, 2012 |
Updated: | July 23, 2012 |
| Description: |
From the Red Hat advisory:
It was found that the Xen hypervisor implementation as shipped with Red
Hat Enterprise Linux 5 did not properly restrict the syscall return
addresses in the sysret return path to canonical addresses. An
unprivileged user in a 64-bit para-virtualized guest, that is running on a
64-bit host that has an Intel CPU, could use this flaw to crash the host
or, potentially, escalate their privileges, allowing them to execute
arbitrary code at the hypervisor level. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2012-2934
|
| Created: | June 12, 2012 |
Updated: | November 13, 2012 |
| Description: |
From the Red Hat advisory:
It was found that guests could trigger a bug in earlier AMD CPUs, leading
to a CPU hard lockup, when running on the Xen hypervisor implementation. An
unprivileged user in a 64-bit para-virtualized guest could use this flaw to
crash the host. Warning: After installing this update, hosts that are using
an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will
fail to boot. In order to boot such hosts, the new kernel parameter,
allow_unsafe, can be used ("allow_unsafe=on"). This option should only be
used with hosts that are running trusted guests, as setting it to "on"
reintroduces the flaw (allowing guests to crash the host). |
| Alerts: |
|
Comments (none posted)
kernel: denial of service and possible privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2012-2383
CVE-2012-2384
|
| Created: | June 13, 2012 |
Updated: | June 13, 2012 |
| Description: |
From the Ubuntu advisory:
Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver
handling of cliprect on 32 bit systems. An unprivileged local attacker
could leverage this flaw to cause a denial of service or potentially gain
root privileges. (CVE-2012-2383)
Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver
handling of buffer_count on 32 bit systems. An unprivileged local attacker
could leverage this flaw to cause a denial of service or potentially gain
root privileges. (CVE-2012-2384) |
| Alerts: |
|
Comments (none posted)
mysql: authentication bypass
| Package(s): | mysql-5.1, mysql-5.5, mysql-dfsg-5.0, mysql-dfsg-5.1 |
CVE #(s): | CVE-2012-2122
|
| Created: | June 12, 2012 |
Updated: | August 13, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that certain builds of MySQL incorrectly handled password
authentication on certain platforms. A remote attacker could use this issue
to authenticate with an arbitrary password and establish a connection. |
| Alerts: |
|
Comments (none posted)
nova: group policy restriction
| Package(s): | nova |
CVE #(s): | CVE-2012-2654
|
| Created: | June 7, 2012 |
Updated: | June 26, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that, when defining security groups in Nova using
the EC2 or OS APIs, specifying the network protocol (e.g. 'TCP') in
the incorrect case would cause the security group to not be applied
correctly. An attacker could use this to bypass Nova security group
restrictions.
|
| Alerts: |
|
Comments (none posted)
nss: denial of service
| Package(s): | nss |
CVE #(s): | CVE-2012-0441
|
| Created: | June 8, 2012 |
Updated: | August 21, 2012 |
| Description: |
From the Debian advisory:
Kaspar Brand discovered that Mozilla's Network Security Services (NSS)
library did insufficient length checking in the QuickDER decoder,
allowing to crash a program using the library.
For the stable distribution (squeeze), this problem has been fixed in
version 3.12.8-1+squeeze5.
For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 2:3.13.4-3.
|
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | PHP5 |
CVE #(s): | CVE-2012-2335
CVE-2012-2336
|
| Created: | June 11, 2012 |
Updated: | July 5, 2012 |
| Description: |
From the CVE entries:
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence. (CVE-2012-2335)
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. (CVE-2012-2336) |
| Alerts: |
|
Comments (none posted)
ubuntuone-client: information leak
| Package(s): | ubuntuone-client |
CVE #(s): | CVE-2011-4409
|
| Created: | June 6, 2012 |
Updated: | June 13, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that the Ubuntu One Client incorrectly validated server
certificates when using HTTPS connections. If a remote attacker were able
to perform a man-in-the-middle attack, this flaw could be exploited to
alter or compromise confidential information. |
| Alerts: |
|
Comments (none posted)
ubuntu-sso-client: information leak
| Package(s): | ubuntu-sso-client |
CVE #(s): | CVE-2011-4408
|
| Created: | June 6, 2012 |
Updated: | June 13, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that the Ubuntu Single Sign On Client incorrectly
validated server certificates when using HTTPS connections. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
be exploited to alter or compromise confidential information. |
| Alerts: |
|
Comments (none posted)
xen: denial of service
| Package(s): | Xen |
CVE #(s): | CVE-2012-0218
|
| Created: | June 13, 2012 |
Updated: | June 26, 2012 |
| Description: |
From the SUSE advisory:
A guest user could crash the guest XEN kernel due to a protection fault bounce. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
