By Jake Edge
August 22, 2012
When a system is compromised, the attackers may try to cover their tracks so
that the administrator is not alerted to the attack. One way for an
attacker to hide is by removing log file entries that might lead an
administrator (or a log file analyzer) to notice. A new feature in the
systemd journal, "forward secure sealing" (FSS) is meant to detect log file
tampering.
Traditionally, administrators have written log files to external systems
across the network or to a local printer—though paper is notoriously
hard to grep—to defeat log file tampering. As long as the
other system is not compromised, and log file lines are written
immediately, an attacker can't help but leave their "fingerprints" behind.
But FSS provides a way to at least detect tampering using only a single
system, though it won't provide all of the assurances that external logging can.
Systemd developer Lennart Poettering announced
FSS on August 20. The basic idea is that the binary logs handled by the
systemd journal
can be "sealed" at regular time intervals. That seal is a cryptographic
operation on the log data such that any tampering prior to the seal can be
detected. So long as a sealing operation happens before the attacker gets
a chance to tamper with the logs, their fingerprints will be sealed with
the rest of the log data. They can still delete the log files entirely,
but that is likely to be noticed as well.
The algorithm for FSS is based on "Forward Secure Pseudo Random
Generators" (FSPRG), which comes from some post-doctoral research by
Poettering's brother Bertram. The paper on FSPRG has not been published but will
be soon, according to (Lennart) Poettering.
The announcement on Google+ and its long comment thread do give some
details, however. FSS is based on two keys that are generated using:
journalctl --setup-keys
One key is the "sealing key" which is kept on the system, and the other is
the "verification key" which should be securely stored elsewhere. Using
the FSPRG mechanism, a new sealing key is generated periodically using a
non-reversible process. The old key is
then securely deleted from the system after the change.
The verification key can be used to calculate the sealing key for any given
time range. That means that the attacker can only access the current
sealing key (which will presumably be used for the next sealing operation),
while the administrator can reliably generate any sealing key to verify
previous log file seals. Changing log file entries prior to the last seal
will result in a verification failure.
As a bell—or perhaps a whistle—the key generator can
create a QR code of the verification key, which can be scanned so that the
key doesn't have to be typed in.
Anything that
happens
after the system is compromised is under control of the attacker, as was
pointed out multiple times in the comments. That
means that local logs cannot be relied on after that point, but it also
applies to remotely stored—or even printed—log files. The
latter two methods do protect against an attacker simply deleting the local
log files, though.
By default, FSS will seal the logs every 15 minutes, but that can be changed
at key generation time with a flag: "--interval=10s" for example.
The system clock time is used in the generation of each new sealing key,
which is
why the interval must be specified when the keys are generated. The
default value surprisingly leaves a rather large window for an attacker who
immediately
turns to altering the log file, though. One also
wonders if subtle (or not so subtle) manipulations of the system clock
might be a way to subvert or otherwise interfere with the key generation.
Securely deleting the old sealing
key is handled by setting the FS_SECRM_FL and FS_NOCOW_FL
file attributes, which may or may not be implemented by the underlying
filesystem. That could potentially lead to leaks of previous sealing keys,
which would allow an attacker to make changes to earlier entries.
Obviously, losing control of the verification key means that all bets are
off as
well.
The code is available already in the systemd Git
repository. Poettering notes that it will also be available in Fedora
18.
FSS is an interesting feature that will likely prove useful for some
administrators. It certainly doesn't solve all of the problems with
detecting attackers or compromised systems, but it could definitely help by
raising
red flags. There is more to do, of course, starting with a security audit
of the code—more eyes can only be helpful in ferreting out any holes
in the algorithm or implementation. Once that's done, administrators can
feel more confident that their log files aren't undetectably changing out
from under them—at least if they are using the systemd journal.
Comments (67 posted)
Brief items
For example, if the year is 2013 but the current month is less than the
target month (say February), then the condition would return a result as if
the current date lies before the August 2012 checkpoint value. In fact,
this logic is simply flawed and incorrect. This error indirectly confirms
our initial conclusion that the Shamoon malware is not the Wiper malware
that attacked Iranian systems. Wiper is presumed to be a cyber-weapon and,
if so, it should have been developed by a team of professionals. But
experienced programmers would hardly be expected to mess up a date
comparison routine.
--
Dmitry
Tarakanov of Kaspersky Lab analyzes the Shamoon malware
Windows 8, set for release on 26 October, automatically deletes entries in
the HOSTS file for specific domains. Try, for example, to prevent attempts
to access Facebook.com, Twitter.com or ad servers such as
ad.doubleclick.net by rerouting them to 127.0.0.1 by adding entries to the
HOSTS file and the relevant entries will soon disappear from the HOSTS file
as if by magic, leaving nothing but an empty line.
--
The
H
Most importantly, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.
--
Dan
Goodin in
ars technica
As a Data Privacy Engineer at Google you will help ensure that our products are designed to the highest standards and are operated in a manner that protects the privacy of our users. Specifically, you will work as member of our Privacy Red Team to independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today.
--
Google
is looking for privacy engineers
Comments (4 posted)
The H
reports on some 40-60 Adobe PDF reader holes found by Google employees—not all of which were fixed in the August 14 update. In fact, none of them were fixed for Linux as no release was made for Linux. "
Google employees Mateusz Jurczyk and Gynvael Coldwind initially examined the PDF engine of the Chrome browser and discovered numerous holes. They then tested Adobe Reader and found about 60 issues that triggered crashes, 40 of which are potential attack vectors. When the two researchers reported their discoveries to Adobe, the company promised to provide fixes – but also indicated that not all the holes would be closed on Patch Day in August."
Comments (55 posted)
New vulnerabilities
emacs: code execution
| Package(s): | emacs |
CVE #(s): | CVE-2012-3479
|
| Created: | August 16, 2012 |
Updated: | January 10, 2013 |
| Description: |
From the Slackware advisory:
Patched to fix a security flaw in the file-local variables code.
When the Emacs user option `enable-local-variables' is set to `:safe'
(the default value is t), Emacs should automatically refuse to evaluate
`eval' forms in file-local variable sections. Due to the bug, Emacs
instead automatically evaluates such `eval' forms. Thus, if the user
changes the value of `enable-local-variables' to `:safe', visiting a
malicious file can cause automatic execution of arbitrary Emacs Lisp
code with the permissions of the user. Bug discovered by Paul Ling. |
| Alerts: |
|
Comments (none posted)
flash-plugin: code execution
| Package(s): | flash-plugin |
CVE #(s): | CVE-2012-1535
|
| Created: | August 16, 2012 |
Updated: | August 23, 2012 |
| Description: |
From the Red Hat advisory:
Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content. (CVE-2012-1535) |
| Alerts: |
|
Comments (none posted)
gdb: code execution
| Package(s): | gdb |
CVE #(s): | CVE-2011-4355
|
| Created: | August 17, 2012 |
Updated: | March 11, 2013 |
| Description: |
From the Red Hat advisory:
It was discovered the the GNU Debugger (gdb) would load untrusted files from the current working directory when .debug_gdb_scripts was defined. While this was a design decision, it is an insecure one and users who do not pre-inspect untrusted files may execute arbitrary code with their privileges. |
| Alerts: |
|
Comments (none posted)
gimp: code execution
| Package(s): | gimp |
CVE #(s): | CVE-2012-3403
CVE-2012-3481
|
| Created: | August 20, 2012 |
Updated: | September 4, 2012 |
| Description: |
From the Red Hat advisory:
A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file
format plug-in. An attacker could create a specially-crafted KiSS palette
file that, when opened, could cause the CEL plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user running
the GIMP. (CVE-2012-3403)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the GIMP's GIF image format plug-in. An attacker could create a
specially-crafted GIF image file that, when opened, could cause the GIF
plug-in to crash or, potentially, execute arbitrary code with the
privileges of the user running the GIMP. (CVE-2012-3481) |
| Alerts: |
|
Comments (none posted)
gimp: code execution
| Package(s): | gimp |
CVE #(s): | CVE-2012-3402
CVE-2009-3909
|
| Created: | August 20, 2012 |
Updated: | September 28, 2012 |
| Description: |
From the Red Hat advisory:
Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in the GIMP's Adobe Photoshop (PSD) image file plug-in. An
attacker could create a specially-crafted PSD image file that, when opened,
could cause the PSD plug-in to crash or, potentially, execute arbitrary
code with the privileges of the user running the GIMP. (CVE-2009-3909,
CVE-2012-3402) |
| Alerts: |
|
Comments (none posted)
glibc: code execution
| Package(s): | glibc |
CVE #(s): | CVE-2012-3480
|
| Created: | August 20, 2012 |
Updated: | August 28, 2012 |
| Description: |
From the Red Hat bugzilla:
Multiple integer overflows, leading to stack-based buffer overflows were found in various stdlib functions of GNU libc (strtod, strtof, strtold, strtod_l and related routines). If an application, using the affected stdlib functions, did not perform user-level sanitization of provided inputs, a local attacker could use this flaw to cause such an application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. |
| Alerts: |
|
Comments (none posted)
glpi: multiple vulnerabilities
| Package(s): | glpi |
CVE #(s): | CVE-2012-4002
CVE-2012-4003
|
| Created: | August 16, 2012 |
Updated: | August 30, 2012 |
| Description: |
From the Mandriva advisory:
Multiple cross-site request forgery (CSRF) and cross-site scripting
(XSS) flaws has been found and corrected in GLPI (CVE-2012-4002,
CVE-2012-4003). |
| Alerts: |
|
Comments (none posted)
imagemagick: code execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2012-3437
|
| Created: | August 22, 2012 |
Updated: | April 10, 2013 |
| Description: |
From the Ubuntu advisory:
Tom Lane discovered that ImageMagick would not always properly allocate
memory. If a user or automated system using ImageMagick were tricked into
opening a specially crafted PNG image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program. |
| Alerts: |
|
Comments (none posted)
libapache2-mod-rpaf: denial of service
| Package(s): | libapache2-mod-rpaf |
CVE #(s): | |
| Created: | August 22, 2012 |
Updated: | August 22, 2012 |
| Description: |
From the Debian advisory:
Sébastien Bocahu discovered that the reverse proxy add forward module
for the Apache webserver is vulnerable to a denial of service attack
through a single crafted request with many headers. |
| Alerts: |
|
Comments (none posted)
openstack-nova: symlink attack
| Package(s): | openstack-nova |
CVE #(s): | CVE-2012-3447
|
| Created: | August 21, 2012 |
Updated: | August 22, 2012 |
| Description: |
From the CVE entry
virt/disk/api.py in OpenStack Compute (Nova) 2012.1.x before 2012.1.2 and Folsom before Folsom-3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image that uses a symlink that is only readable by root. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3361. |
| Alerts: |
|
Comments (none posted)
pcp: multiple vulnerabilities
| Package(s): | pcp |
CVE #(s): | CVE-2012-3418
CVE-2012-3419
CVE-2012-3420
CVE-2012-3421
|
| Created: | August 20, 2012 |
Updated: | September 4, 2012 |
| Description: |
From the Red Hat bugzilla [1], [2], [3], [4]:
[1] Florian Weimer of the Red Hat Product Security Team discovered multiple integer and heap-based buffer overflow flaws in PCP (Performance Co-Pilot) libpcp protocol decoding functions. These flaws could lead to daemon crashes or the execution of arbitrary code with root privileges. Many of these flaws can be exploited without requiring the attacker to be authenticated. (CVE-2012-3418)
[2] Florian Weimer of the Red Hat Product Security Team discovered that pmcd (the PCP (Performance Co-Pilot) performance metrics collector daemon) exports part of the /proc file system, including privileged information that could be used to aid in bypassing ASLR, as well as full commandline information on running programs. (CVE-2012-3419)
[3] Florian Weimer of the Red Hat Product Security Team discovered two memory leaks in libpcp that can be abused by an unauthenticated remote attacker to crash pmcd (the PCP (Performance Co-Pilot) performance metrics collector daemon) or to consume enough memory to trigger the OOM killer, which may have impact on other processes. (CVE-2012-3420)
[4] Florian Weimer of the Red Hat Product Security Team discovered a denial of service flaw in pmcd (the PCP (Performance Co-Pilot) performance metrics collector daemon) due to incorrect event-driven programming. Because the pduread() function in libpcp performs a select locally, waiting for more client data, an unauthenticated remote attacker could send individual bytes one by one, avoiding the timeout, and blocking pmcd in order to prevent it from responding to other legitimate requests. (CVE-2012-3421) |
| Alerts: |
|
Comments (none posted)
phpmyadmin: cross-site scripting
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2012-4345
|
| Created: | August 17, 2012 |
Updated: | August 29, 2012 |
| Description: |
From the phpMyAdmin advisory:
Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the 'Empty the table (TRUNCATE)' and 'Delete the table (DROP)' links 4) On the Triggers page of a database containing tables with a crafted name, when opening the 'Add Trigger' popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name. |
| Alerts: |
|
Comments (none posted)
postgresql: file disclosure
| Package(s): | postgresql |
CVE #(s): | CVE-2012-3488
CVE-2012-3489
|
| Created: | August 20, 2012 |
Updated: | September 28, 2012 |
| Description: |
From the postgresql advisory:
This security release fixes a vulnerability in the built-in XML
functionality, and a vulnerability in the XSLT functionality supplied by
the optional XML2 extension. Both vulnerabilities allow reading of
arbitrary files by any authenticated database user, and the XSLT
vulnerability allows writing files as well. The fixes cause limited
backwards compatibility issues. |
| Alerts: |
|
Comments (none posted)
redeclipse: file disclosure
| Package(s): | redeclipse |
CVE #(s): | |
| Created: | August 20, 2012 |
Updated: | August 22, 2012 |
| Description: |
From the Fedora advisory:
A flaw was found in the way Red Eclipse handled config files. In cube2-engine games, game maps can be transmitted either from the server to a client, or from client to client. These maps include a config file (mapname.cfg) in "cubescript" format, which allows for an attacker to send a malicious script via a new map. This map must either be chosen by an administrator on the server, or created in co-operative editing mode. A malicious script could then be used to read or write to any files that the user running the client has access to when the victim loads a map with the malicious configuration file. |
| Alerts: |
|
Comments (none posted)
rssh: shell command injection
| Package(s): | rssh |
CVE #(s): | CVE-2012-3478
|
| Created: | August 16, 2012 |
Updated: | September 11, 2012 |
| Description: |
From the Debian advisory:
Henrik Erkkonen discovered that rssh, a restricted shell for SSH, does
not properly restrict shell access. |
| Alerts: |
|
Comments (1 posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2012-4285
CVE-2012-4287
CVE-2012-4288
CVE-2012-4289
CVE-2012-4296
CVE-2012-4297
CVE-2012-4291
CVE-2012-4292
CVE-2012-4293
CVE-2012-4290
|
| Created: | August 16, 2012 |
Updated: | December 26, 2012 |
| Description: |
From the Mandriva advisory:
Multiple vulnerabilities was found and corrected in Wireshark:
The DCP ETSI dissector could trigger a zero division (CVE-2012-4285).
The MongoDB dissector could go into a large loop (CVE-2012-4287).
The XTP dissector could go into an infinite loop (CVE-2012-4288).
The AFP dissector could go into a large loop (CVE-2012-4289).
The RTPS2 dissector could overflow a buffer (CVE-2012-4296).
The GSM RLC MAC dissector could overflow a buffer (CVE-2012-4297).
The CIP dissector could exhaust system memory (CVE-2012-4291).
The STUN dissector could crash (CVE-2012-4292).
The EtherCAT Mailbox dissector could abort (CVE-2012-4293).
The CTDB dissector could go into a large loop (CVE-2012-4290). |
| Alerts: |
|
Comments (none posted)
xen: denial of service
| Package(s): | xen |
CVE #(s): | CVE-2012-3433
|
| Created: | August 20, 2012 |
Updated: | September 14, 2012 |
| Description: |
From the Debian advisory:
A guest kernel can cause the host to become unresponsive for a period
of time, potentially leading to a DoS. Since an attacker with full
control in the guest can impact on the host, this vulnerability is
consider with high impact. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
