LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Cyberoam deep packet inspection and certificates

By Nathan Willis
July 11, 2012

The Tor Project recently discovered a security flaw in a line of commercial deep packet inspection (DPI) products; a flaw which an attacker could use to intercept the SSL connections of third-party users. The manufacturer of the product quickly pushed out an update, but DPI products from other vendors may still be affected.

Runa Sandvik wrote about the discovery on the Tor blog in a post dated July 3. According to that account, the discovery took place the week before, when a Tor user in Jordan contacted the project to report seeing a fake certificate for torproject.org, issued by Cyberoam. The project initially thought that a certificate authority (CA) might have been compromised (as in the DigiNotar incident in 2011), but upon investigation, that was not the case.

Cyberoam is a network security vendor that sells DPI devices. The user in Jordan was not witnessing an attack, but rather the evidence that the SSL connection to Tor had been intercepted by a Cyberoam DPI device. It is not clear from Sandvik's post whether the user was behind a corporate Cyberoam barrier (in which case he or she may have explicitly or implicitly agreed to the DPI interception) or was being monitored unwillingly. Whatever the circumstances, though, it was not the DPI filtering that constituted the security vulnerability.

CA certificate woes and default settings

Cyberoam's devices monitor SSL connections without generating browser errors by having the user install a Cyberoam CA certificate into the browser's trusted certificate store. Subsequently, the device intercepts SSL connections, issuing generated certificates (signed by the now-trusted Cyberoam CA certificate) for the requested sites and establishing the server-side connection on the other side of the intercept. This had happened to the user in Jordan, which was why he or she saw a Cyberoam-issued certificate for the torproject.org domain. The problem is that all Cyberoam devices ship with identical CA certificates and identical private keys. Consequently, Sandvik wrote, anyone can use a Cyberoam device to intercept traffic on any other Cyberoam-filtered network, or even extract the key and install it on other devices and use those to intercept traffic. In either case, the users would not detect that their traffic was being monitored by someone other than the approved authority.

Sandvik and Ben Laurie wrote a security advisory (CVE-2012-3372) about the issue and notified Cyberoam before publishing the blog post. Cyberoam wrote a post on its own blog detailing its response to the alert. According to Cyberoam's account, each affected device is capable of generating its own CA certificate, and the certificate shared by all devices was merely a "default." After Tor's alert, the company pushed out an update to all of its devices instructing administrators to generate a unique CA certificate, and it "forcefully generated unique keys for all the remaining appliances." The wording in that section is a bit ambiguous, but it appears that device administrators were encouraged to generate a new CA certificate locally, and those that did not do so quickly were updated to a unique certificate generated at Cyberoam, with further instructions on local key generation. Cyberoam (admirably) thanked Tor for the vulnerability report, and also said that the CA certificate update makes its DPI products significantly more secure than its competitors'.

For the update to take effect, users on a Cyberoam-monitored network will need to import the newly-generated CA certificate into their browser's trusted certificate store. Whether they do so willingly depends on whether they have consented to be monitored by the device. For its part, Tor expresses little sympathy for organizations using DPI to intercept users' connections, repeatedly calling them "victims" in the security alert text, and adding the footnote: "In the corporate setting, willing victims are often known as 'employees'. Unwilling victims should not, of course, install the CA certificate, nor should they click through certificate warnings." On the other hand, the alert calls Cyberoam's approach "the only legitimate way to use these devices," in contrast with monitoring schemes that require persuading a CA to issue fake certificates.

Security impact

Without knowing the details of the user who reported the issue initially, it is impossible to say whether or not Cyberoam devices are being used to monitor Internet users without their consent. There are legitimate uses for DPI, of course, such as protecting a corporate network. But the report hints at a different scenario, because the user reported that common web sites (such as Gmail and Twitter) showed the correct CA certificates — suggesting that torproject.org was being selectively targeted for interception.

In comments on the Tor blog, some readers questioned whether the case was one of consenting monitoring done at an employer, or unwilling surveillance. One anonymous reader commented that the Cyberoam devices in question only intercept SSL connections to check for malware, and that Tor had "raised a non-existing vulnerability." Sandvik replied that there were two separate issues at play: the use of the device to intercept torproject.org traffic , and the fact that all Cyberoam devices shipped with the same CA certificate.

Cyberoam's response should seal the second issue, assuming that future devices ship only with unique keys. A master CA certificate controlled by Cyberoam could still be used to sign the individual device keys. In that case, Cyberoam might sign a separate "intermediate" CA certificate for each individual device. Thus the users only need to install the original Cyberoam certificate in the browser's trust store, and the certificate trust chain still validates. If device administrators have to re-generate a new CA certificate for the device, they must have Cyberoam sign it, but they do not have to have every user install something new.

But as Sandvik asked in the comment thread, "How can you be sure that the device being used in this case is not doing DPI, but 'just' HTTPS scanning for antivirus?" Implicitly, the answer is "you can't," which is one of the fundamental justifications for Tor and similar privacy-protecting projects. How the user in Jordan came to be behind a Cyberoam scanning device is unknown, but if he or she agreed to have web traffic monitored, particularly to the point of manually installing a CA certificate in the browser, then there is little or nothing to prevent the monitoring party from engaging in all sorts of mischief. Although, in an interesting side note, several anonymous commenters on the Tor blog posted what they claim to be the Cyberoam devices' default private key. So even if few people learn a lesson about the dangers of consenting to traffic monitoring, perhaps a few others will learn a lesson about leaving the default security settings in place.

Comments (29 posted)

Brief items

Security quotes of the week

Popular pet names Rover, Cheryl and Kate could be a thing of the past. Banks are now advising parents to think carefully before naming their child’s first pet. For security reasons, the chosen name should have at least eight characters, a capital letter and a digit. It should not be the same as the name of any previous pet, and must never be written down, especially on a collar as that is the first place anyone would look. Ideally, children should consider changing the name of their pet every 12 weeks.

[...] We tried to call Barclays’ security expert R0b Ste!nway for a comment, but he was not available for 24 hours, having answered his phone incorrectly three times in succession.

-- NewsBiscuit

A group of researchers led by Professor Todd Humphreys from the University of Texas at Austin Radionavigation Laboratory recently succeeded in raising the eyebrows of the US government. With just around $1,000 in parts, Humphreys’ team took control of an unmanned aerial vehicle owned by the college, all in front of the US Department of Homeland Security.

After being challenged by his lab, the DHS dared Humphreys’ crew to hack into a drone and take command. Much to their chagrin, they did exactly that.

-- RT

Just like the huge black eye that _every major US telecom company_ got when they got caught colluding with the NSA to spy on Americans in obvious violation of US law? You'll recall that it was such a *huge* PR disaster... that they're all still doing it today(!), that Congress retroactively changed the law(!), and that the whistleblower was indicted for espionage(!).

I agree that Intel's hardware is very probably not backdoored, but that's simply not a standard by which threats should be measured in this field. Treating a backdoor scenario as outside the realm of possibility based on appeals to reputation given such obvious, massive, and recent precedent to the contrary is... not a typical security mindset, to put it mildly.

-- Matt Mackall

Comments (1 posted)

New vulnerabilities

backuppc: cross-site scripting

Package(s):backuppc CVE #(s):CVE-2011-4923
Created:July 9, 2012 Updated:July 11, 2012
Description: From the Mageia advisory:

Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0, 3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the num parameter in a view action to index.cgi, related to the log file viewer

Alerts:
Mageia MGASA-2012-0139 2012-07-09
Mageia MGASA-2012-0165 2012-07-14
Mandriva MDVSA-2013:062 2013-04-08

Comments (none posted)

ffmpeg: insecure frame threads

Package(s):ffmpeg CVE #(s):CVE-2011-3937
Created:July 9, 2012 Updated:July 11, 2012
Description: From the Mageia advisory:

Disallow width/height changing with frame threads

Alerts:
Mageia MGASA-2012-0143 2012-07-09
Gentoo 201210-06 2012-10-19
Mandriva MDVSA-2013:079 2013-04-09

Comments (none posted)

jruby: denial of service

Package(s):jruby CVE #(s):CVE-2011-4838
Created:July 10, 2012 Updated:July 11, 2012
Description: From the CVE entry:

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Alerts:
Gentoo 201207-06 2012-07-09

Comments (none posted)

keepalived: denial of service

Package(s):keepalived CVE #(s):CVE-2011-1784
Created:July 10, 2012 Updated:April 10, 2013
Description: From the CVE entry:

The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and earlier uses 0666 permissions for the (1) keepalived.pid, (2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows local users to kill arbitrary processes by writing a PID to one of these files.

Alerts:
Gentoo 201207-07 2012-07-09
Mageia MGASA-2012-0188 2012-08-02
Fedora FEDORA-2012-12377 2012-09-04
Fedora FEDORA-2012-12367 2012-09-04
Mandriva MDVSA-2013:096 2013-04-10

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2012-2744 CVE-2012-2745
Created:July 10, 2012 Updated:October 24, 2012
Description: From the Red Hat advisory:

* A NULL pointer dereference flaw was found in the nf_ct_frag6_reasm() function in the Linux kernel's netfilter IPv6 connection tracking implementation. A remote attacker could use this flaw to send specially-crafted packets to a target system that is using IPv6 and also has the nf_conntrack_ipv6 kernel module loaded, causing it to crash. (CVE-2012-2744, Important)

* A flaw was found in the way the Linux kernel's key management facility handled replacement session keyrings on process forks. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2745, Moderate)

Alerts:
Red Hat RHSA-2012:1064-01 2012-07-10
CentOS CESA-2012:1064 2012-07-10
Oracle ELSA-2012-1064 2012-07-11
Ubuntu USN-1507-1 2012-07-16
Oracle ELSA-2012-2025 2012-07-18
Oracle ELSA-2012-2026 2012-07-18
Red Hat RHSA-2012:1114-01 2012-07-24
Scientific Linux SL-kern-20120726 2012-07-26
Red Hat RHSA-2012:1129-01 2012-07-31
Red Hat RHSA-2012:1148-01 2012-08-07
Ubuntu USN-1567-1 2012-09-14
Ubuntu USN-1574-1 2012-09-19
Ubuntu USN-1597-1 2012-10-04
Ubuntu USN-1606-1 2012-10-11
SUSE SUSE-SU-2012:1391-1 2012-10-24
openSUSE openSUSE-SU-2013:0396-1 2013-03-05

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2012-3375
Created:July 10, 2012 Updated:July 13, 2012
Description: From the Red Hat advisory:

* The fix for CVE-2011-1083 (RHSA-2012:0150) introduced a flaw in the way the Linux kernel's Event Poll (epoll) subsystem handled resource clean up when an ELOOP error code was returned. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-3375, Moderate)

Alerts:
Red Hat RHSA-2012:1061-01 2012-07-10
CentOS CESA-2012:1061 2012-07-10
Oracle ELSA-2012-1061 2012-07-11
Scientific Linux SL-kern-20120712 2012-07-12
Red Hat RHSA-2012:1150-01 2012-08-08
Ubuntu USN-1514-1 2012-08-10
Ubuntu USN-1529-1 2012-08-10
Ubuntu USN-1532-1 2012-08-10
Ubuntu USN-1533-1 2012-08-10
Ubuntu USN-1539-1 2012-08-14
Mageia MGASA-2012-0237 2012-08-23
openSUSE openSUSE-SU-2013:0396-1 2013-03-05

Comments (none posted)

libgdata: insufficient certificate verification

Package(s):libgdata CVE #(s):CVE-2012-1177
Created:July 11, 2012 Updated:August 29, 2012
Description: From the Novell bugzilla:

libgdata doesn't validate ssl certificates for all connections

Alerts:
openSUSE openSUSE-SU-2012:0862-1 2012-07-11
Mandriva MDVSA-2012:111 2012-07-25
Mageia MGASA-2012-0190 2012-08-02
Gentoo 201208-06 2012-08-14
Ubuntu USN-1547-1 2012-08-28

Comments (none posted)

mod_security: modsecurity multipart bypasses

Package(s):mod_security CVE #(s):
Created:July 11, 2012 Updated:July 11, 2012
Description: From the Fedora advisory:

ModSecurity Multipart Bypasses fixed by this upstream release. [v2.6.6] Upgrade to the latest stable upstream release. Upgraded mod_security package.

Alerts:
Fedora FEDORA-2012-9824 2012-07-10

Comments (none posted)

mod_security_crs: modsecurity core rule set multipart bypasses

Package(s):mod_security_crs CVE #(s):
Created:July 11, 2012 Updated:July 11, 2012
Description: From the Fedora advisory:

ModSecurity Core Rule Set Multipart Bypasses fixed by this upstream release. [v2.2.5] Updated spec file. ModSecurity Rules

Alerts:
Fedora FEDORA-2012-9813 2012-07-10

Comments (none posted)

openjpeg: code execution

Package(s):openjpeg CVE #(s):CVE-2012-3358
Created:July 11, 2012 Updated:July 16, 2012
Description: From the Red Hat advisory:

An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially-crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Alerts:
Red Hat RHSA-2012:1068-01 2012-07-11
CentOS CESA-2012:1068 2012-07-11
Mandriva MDVSA-2012:104 2012-07-12
Oracle ELSA-2012-1068 2012-07-11
Scientific Linux SL-open-20120711 2012-07-11
Mageia MGASA-2012-0165 2012-07-14
Debian DSA-2629-1 2013-02-25
Mandriva MDVSA-2013:110 2013-04-10

Comments (none posted)

pidgin: remote code execution

Package(s):pidgin CVE #(s):CVE-2012-3374
Created:July 9, 2012 Updated:March 15, 2013
Description: From the Debian advisory:

Ulf Härnhammar found a buffer overflow in Pidgin, a multi protocol instant messaging client. The vulnerability can be exploited by an incoming message in the MXit protocol plugin. A remote attacker may cause a crash, and in some circumstances can lead to remote code execution.

Alerts:
Debian DSA-2509-1 2012-07-08
Ubuntu USN-1500-1 2012-07-09
Mageia MGASA-2012-0154 2012-07-10
Fedora FEDORA-2012-10287 2012-07-10
Mandriva MDVSA-2012:105 2012-07-12
Slackware SSA:2012-195-02 2012-07-14
Fedora FEDORA-2012-10294 2012-07-14
Red Hat RHSA-2012:1102-01 2012-07-19
CentOS CESA-2012:1102 2012-07-19
CentOS CESA-2012:1102 2012-07-19
SUSE SUSE-SU-2012:0890-1 2012-07-19
Oracle ELSA-2012-1102 2012-07-20
Scientific Linux SL-pidg-20120719 2012-07-19
Gentoo 201209-17 2012-09-27
Oracle ELSA-2013-0646 2013-03-14

Comments (none posted)

pidgin: information disclosure

Package(s):pidgin CVE #(s):CVE-2011-4922
Created:July 10, 2012 Updated:July 11, 2012
Description: From the Ubuntu advisory:

Julia Lawall discovered that Pidgin incorrectly cleared memory contents used in cryptographic operations. An attacker could exploit this to read the memory contents, leading to an information disclosure. This issue only affected Ubuntu 10.04 LTS.

Alerts:
Ubuntu USN-1500-1 2012-07-09

Comments (none posted)

python3: data leaks, memory damage, and crash

Package(s):python3 CVE #(s):CVE-2012-2135
Created:July 11, 2012 Updated:August 13, 2012
Description: From the Novell bugzilla:

In the utf-16 decoder after calling unicode_decode_call_errorhandler aligned_end is not updated. This may potentially cause data leaks, memory damage, and crash. The bug introduced by implementation of the issue #4868. In a similar situation in the utf-8 decoder aligned_end is updated.

Alerts:
openSUSE openSUSE-SU-2012:0861-1 2012-07-11
Mageia MGASA-2012-0208 2012-08-12
Ubuntu USN-1615-1 2012-10-23
Ubuntu USN-1616-1 2012-10-24

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2012-3825 CVE-2012-3826
Created:July 11, 2012 Updated:July 11, 2012
Description: From the CVE entries:

Multiple integer overflows in Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allow remote attackers to cause a denial of service (infinite loop) via vectors related to the (1) BACapp and (2) Bluetooth HCI dissectors, a different vulnerability than CVE-2012-2392. (CVE-2012-3825)

Multiple integer underflows in Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allow remote attackers to cause a denial of service (loop) via vectors related to the R3 dissector, a different vulnerability than CVE-2012-2392. (CVE-2012-3826)

Alerts:
Fedora FEDORA-2012-10175 2012-07-10

Comments (none posted)

xorg-server: code execution

Package(s):xorg-server CVE #(s):CVE-2012-2118
Created:July 10, 2012 Updated:April 11, 2013
Description: From the CVE entry:

Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name.

Alerts:
Gentoo 201207-04 2012-07-09
Ubuntu USN-1502-1 2012-07-11
Mageia MGASA-2012-0299 2012-10-20
Mandriva MDVSA-2013:139 2013-04-10

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds