By Jake Edge
January 16, 2013
Keeping up with distribution security updates is typically straightforward,
but finding out about vulnerable packages before they have been
patched can be rather harder. There is generally a lag between the report of a
vulnerability and the availability of an updated package. In that window,
there might well
be steps that administrators could take to mitigate or work around the
problem, but they can only do so if they are aware of the problem. In our recent article that looked at distribution response to
the MoinMoin and Rails vulnerabilities, there was a suggestion that
distributions could do more to help notify administrators of
known-but-unpatched security holes. As it turns out, a comment on that article led us to one example
of just such an early warning system.
The tool in question is debsecan (Debian
security analyzer), which helps
Debian administrators keep up with the vulnerabilities reported against
the packages they have installed. By consulting the Debian security bug
tracker, debsecan gets information about entries in the CVE (Common Vulnerabilities and
Exposures) and National Vulnerability
Database lists that it can correlate with the packages installed
on the system. It runs hourly by default, and can email interested
parties with its results once per day.
Debsecan was written by Florian Weimer, starting back at the end of 2005;
at this point, it is fairly stable and has
remained largely unchanged since mid-2010. The program is less than 1500
lines of
Python, with just a few dependencies (e.g., libapt-pkg
bindings). That dependency and the reliance on the bug tracker make it
quite Debian-specific, of course, but the idea behind it is more widely
applicable.
Obviously, debsecan depends on the information in the security bug tracker
being kept up to date. That is handled by the Debian security team, though
volunteers
are welcome. The team has put together an introduction
to the security bug tracker
that describes the process it uses to track security problems for Debian.
Other distributions also track security problems, of course, but tools like
debsecan that specifically look for problems that have not yet been
patched are not common.
Ubuntu carries debsecan in its repositories, but it is too
Debian-specific to be directly useful on Ubuntu and, so far, efforts
to Ubuntu-ize it have not gone anywhere.
At this point, the package is targeted for removal from Ubuntu, because it
"conveys information that is just plain wrong" for Ubuntu.
For other distributions, package managers (e.g., yum,
zypper) will list available updates, and can often filter that list based
on security updates, but don't list unpatched packages.
It is, of course, best if a distribution can keep up with the security
problems in its packages, but that can be
difficult at times. Like with the recent MoinMoin and Rails vulnerabilities, though,
there are often ways to mitigate a particular problem—if the
administrator is alerted. Even if there is no workaround available,
an administrator could choose to completely disable the affected package
(or install a patched version from source) while awaiting a distribution
update. There is some similarity with the arguments in favor of "full
disclosure" here: essentially, the more each individual knows about the
vulnerabilities of their software, the more options for handling the
problem they have. Without that information, those options are severely
limited—in fact, largely non-existent.
One could imagine a cross-distribution project that gathered the same kind of
information as the Debian security bug tracker, but in a more
distribution-independent fashion. Each distribution could have a tool that
processed that data, correlated it to its package names and versions, and
then reported on what it found. It could even potentially be extended to
help track software that is installed from source.
Keeping up with security updates for source installations can definitely be
a problem area. While many larger projects have advisory announcement mailing
lists, there are plenty of smaller projects that aren't quite as formal.
That means that there are multiple sources of security advisories that an
administrator needs to keep track of.
By maintaining some kind of list of locally installed packages, coupled
with a central storehouse of vulnerabilities, a tool like
debsecan could also be used to provide alerts to security holes in local
source-installed
packages as well.
There are plenty of reasons that administrators will install from
source—new features and bug fixes, compatibility with other
packages, and so on. Those packages are often things like
fast-moving web frameworks or applications that have high
risk profiles. A tool that helped administrators keep up
with the security issues in source packages, while also integrating the
distribution package vulnerabilities and updates, would be a real boon for
Linux.
Comments (12 posted)
Brief items
When we mere imperfect mortals deem to pit even our most righteous beliefs against the timorous gods of old, it is simultaneously an act of faith and the voluntary assumption of enormous risk, for the gods of obsolescence still possess mighty powers indeed.
In the end, the old gods of information scarcity and control will indeed die, and more open models will win the future.
-- Lauren Weinstein
This vulnerability was different in that it was an 0day (and has been
for some time) inside all the major malware dropper kits. And yet, no
massive screaming has really been reported. People aren't really
[panicking]. Just the same advice - boring even to people in the security
industry. You have to wonder - is the level of public infection so high
that something this pervasive doesn't move the needle?
-- Dave Aitel
That is to say, The Dictator's Practical Internet Guide to Power Retention's main value is not for dictatorships at all; it is written for us, citizens of the free world, as a wake up call against the various stakeholder that wish to subdue the Internet away from us. Be it ACTA, TPP, SOPA, National Security Inquiry, Patriot Act or just your average copyright industry demand, our Internet is always in danger – and thus our freedom is as well.
-- Moshe
Reuveni reviews The Dictator's
Practical Internet Guide to Power Retention
The larger story here is that as more of our communications move to mobile
devices and to the cloud, we will encounter surprising exceptions to our
expectations for secure communications. Browsers like Nokia Xpress and
Opera Mini are essentially moving our web browsing to the cloud—pushing the
security functions that we traditionally thought existed in a safe zone
within our device to far-away servers. At the same time, our devices can
betray us by aiding and abetting this security offloading.
-- Steve
Schultze on mobile browsers decrypting SSL
Comments (2 posted)
New vulnerabilities
389-ds-base: ACL restriction bypass
| Package(s): | 389-ds-base |
CVE #(s): | CVE-2012-4450
|
| Created: | January 15, 2013 |
Updated: | March 11, 2013 |
| Description: |
From the CVE entry:
389 Directory Server 1.2.10 does not properly update the ACL when a DN entry is moved by a modrdn operation, which allows remote authenticated users with certain permissions to bypass ACL restrictions and access the DN entry. |
| Alerts: |
|
Comments (none posted)
asterisk: denial of service
| Package(s): | asterisk |
CVE #(s): | CVE-2012-5976
CVE-2012-5977
|
| Created: | January 14, 2013 |
Updated: | January 30, 2013 |
| Description: |
From the CVE entries:
Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol. (CVE-2012-5976)
Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache. (CVE-2012-5977) |
| Alerts: |
|
Comments (none posted)
autofs: denial of service
| Package(s): | autofs |
CVE #(s): | CVE-2012-2697
|
| Created: | January 14, 2013 |
Updated: | January 17, 2013 |
| Description: |
From the Red Hat advisory:
A bug fix included in RHBA-2012:0264 introduced a denial of service flaw in
autofs. When using autofs with LDAP, a local user could use this flaw to
crash autofs, preventing future mount requests from being processed until
the autofs service was restarted. |
| Alerts: |
|
Comments (none posted)
conga: leaks authentication credentials
| Package(s): | conga |
CVE #(s): | CVE-2012-3359
|
| Created: | January 14, 2013 |
Updated: | January 17, 2013 |
| Description: |
From the Red Hat advisory:
It was discovered that luci stored usernames and passwords in session
cookies. This issue prevented the session inactivity timeout feature from
working correctly, and allowed attackers able to get access to a session
cookie to obtain the victim's authentication credentials. |
| Alerts: |
|
Comments (none posted)
drupal7-context: information disclosure
| Package(s): | drupal7-context |
CVE #(s): | CVE-2012-5655
|
| Created: | January 14, 2013 |
Updated: | January 21, 2013 |
| Description: |
From the CVE entry:
The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request. |
| Alerts: |
|
Comments (none posted)
freeciv: denial of service
| Package(s): | freeciv |
CVE #(s): | CVE-2012-6083
|
| Created: | January 15, 2013 |
Updated: | January 16, 2013 |
| Description: |
From the Mageia advisory:
Malformed network packets could cause denial of service (memory
exhaustion or CPU-bound loop) in Freeciv before 2.3.3
See the Freeciv announcement for more details. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java-1.7.0-oracle |
CVE #(s): | CVE-2012-3174
CVE-2013-0422
|
| Created: | January 15, 2013 |
Updated: | January 25, 2013 |
| Description: |
From the CVE entries:
Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114. (CVE-2012-3174)
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue. (CVE-2013-0422)
See the Oracle Security Alert for additional information.
|
| Alerts: |
|
Comments (none posted)
kde-filesystem: insecure build flags
| Package(s): | kde-filesystem |
CVE #(s): | |
| Created: | January 14, 2013 |
Updated: | January 16, 2013 |
| Description: |
From the Red Hat bugzilla:
Sync FFLAGS and LDFLAGS in the %cmake_kde4 macro with redhat-rpm-config |
| Alerts: |
|
Comments (none posted)
kexec-tools: executable stack
| Package(s): | kexec-tools |
CVE #(s): | |
| Created: | January 15, 2013 |
Updated: | January 16, 2013 |
| Description: |
Fedora fixed an executable stack issue for ppc32 in kexec-tools 2.0.3-64. |
| Alerts: |
|
Comments (none posted)
mozilla: cross-site scripting
| Package(s): | iceape, thunderbird, seamonkey, firefox |
CVE #(s): | CVE-2013-0751
|
| Created: | January 15, 2013 |
Updated: | February 18, 2013 |
| Description: |
From the CVE entry:
Mozilla Firefox before 18.0 on Android and SeaMonkey before 2.15 do not restrict a touch event to a single IFRAME element, which allows remote attackers to obtain sensitive information or possibly conduct cross-site scripting (XSS) attacks via a crafted HTML document. |
| Alerts: |
|
Comments (none posted)
mysql: authentication bypass
| Package(s): | mysql |
CVE #(s): | CVE-2012-4452
|
| Created: | January 14, 2013 |
Updated: | January 17, 2013 |
| Description: |
From the CVE entry:
MySQL 5.0.88, and possibly other versions and platforms, allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of a CVE-2009-4030 regression, which was not omitted in other packages and versions such as MySQL 5.0.95 in Red Hat Enterprise Linux 6. |
| Alerts: |
|
Comments (none posted)
OpenIPMI: invalid permissions
| Package(s): | OpenIPMI |
CVE #(s): | CVE-2011-4339
|
| Created: | January 14, 2013 |
Updated: | January 17, 2013 |
| Description: |
From the CVE entry:
ipmievd (aka the IPMI event daemon) in OpenIPMI, as used in the ipmitool package 1.8.11 in Red Hat Enterprise Linux (RHEL) 6, Debian GNU/Linux, Fedora 16, and other products uses 0666 permissions for its ipmievd.pid PID file, which allows local users to kill arbitrary processes by writing to this file.
|
| Alerts: |
|
Comments (none posted)
pl: code execution
| Package(s): | pl |
CVE #(s): | CVE-2012-6090
CVE-2012-6089
|
| Created: | January 15, 2013 |
Updated: | January 16, 2013 |
| Description: |
From the CVE entries:
Multiple stack-based buffer overflows in the expand function in os/pl-glob.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename. (CVE-2012-6090)
Multiple stack-based buffer overflows in the canoniseFileName function in os/pl-os.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename. (CVE-2012-6089) |
| Alerts: |
|
Comments (none posted)
proftpd-dfsg: privilege escalation
| Package(s): | proftpd-dfsg |
CVE #(s): | CVE-2012-6095
|
| Created: | January 14, 2013 |
Updated: | April 8, 2013 |
| Description: |
From the Debian advisory:
It has been discovered that in ProFTPd, an FTP server, an attacker on
the same physical host as the server may be able to perform a symlink
attack allowing to elevate privileges in some configurations. |
| Alerts: |
|
Comments (none posted)
qemu: buffer overflow
| Package(s): | qemu-kvm, qemu |
CVE #(s): | CVE-2012-6075
|
| Created: | January 16, 2013 |
Updated: | March 13, 2013 |
| Description: |
From the Debian advisory:
It was discovered that the e1000 emulation code in QEMU does not
enforce frame size limits in the same way as the real hardware does.
This could trigger buffer overflows in the guest operating system
driver for that network card, assuming that the host system does not
discard such frames (which it will by default). |
| Alerts: |
|
Comments (none posted)
qt: confusing SSL error messages
| Package(s): | qt |
CVE #(s): | CVE-2012-6093
|
| Created: | January 14, 2013 |
Updated: | February 7, 2013 |
| Description: |
From the Red Hat bugzilla:
A security flaw was found in the way QSslSocket implementation of the Qt, a software toolkit for applications development, performed certificate verification callbacks, when Qt libraries were used with different OpenSSL version than the one, they were compiled against. In such scenario, this would result in a connection error, but with the SSL error list to contain QSslError:NoError instead of proper reason of the error. This might result in a confusing error being presented to the end users, possibly encouraging them to ignore the SSL errors for the site the connection was initiated against. |
| Alerts: |
|
Comments (none posted)
rails: code execution and more
| Package(s): | rails |
CVE #(s): | CVE-2013-0156
|
| Created: | January 10, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Debian advisory:
It was discovered that Rails, the Ruby web application development
framework, performed insufficient validation on input parameters,
allowing unintended type conversions. An attacker may use this to
bypass authentication systems, inject arbitrary SQL, inject and
execute arbitrary code, or perform a DoS attack on the application.
Lots more information can be found in the Rails advisory and this analysis. |
| Alerts: |
|
Comments (none posted)
rubygem-activerecord: sql injection
| Package(s): | rubygem-activerecord |
CVE #(s): | CVE-2012-6496
|
| Created: | January 15, 2013 |
Updated: | January 21, 2013 |
| Description: |
From the CVE entry:
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. |
| Alerts: |
|
Comments (none posted)
tcl-snack: code execution
| Package(s): | tcl-snack |
CVE #(s): | CVE-2012-6303
|
| Created: | January 14, 2013 |
Updated: | January 25, 2013 |
| Description: |
From the Secunia Advisory:
Two vulnerabilities have been discovered in Snack Sound Toolkit, which can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to missing boundary checks in the "GetWavHeader()" function (generic/jkSoundFile.c) when parsing either format sub-chunks or unknown sub-chunks. This can be exploited to cause a heap-based buffer overflow via specially crafted WAV files with overly large chunk sizes specified.
Successful exploitation may allow execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
