By Jake Edge
January 23, 2013
When using encrypted communication, users are at the mercy of the software
that implements the cryptography. That generally works out reasonably
well; users are
only exposed to inadvertent bugs present in the code. But a recent
report shows that sometimes using encryption may not actually result in
more secure communication—such security depends on having tools that are actually
trying to do what
is expected of them.
When a user visits an HTTPS site, they expect their browser to use an
encrypted connection between it and the web site. Truthfully,
many users are not technically
sophisticated enough to understand that, but they have been (hopefully)
trained to trust in the "lock" icon or other user interface elements that
indicate a secure connection. Whether the user knows that means
"encryption" or not depends on their level of technical savvy, but they
almost certainly don't expect their secure data to be sent to a third-party
server. But that's evidently what Nokia's Xpress mobile browser has
been doing.
HTTPS traffic is encrypted using keys that get exchanged between
the destination server and client browser. A public key is contained in a
server certificate that is signed by
someone—typically a
certificate authority (CA). The signature asserts that the key belongs to that
server name. The public key is then used to encrypt and exchange session
keys that are
subsequently used to encrypt the session. The CA is integral to the web
browser trust
model; keys that don't validate under that model
(e.g. keys signed by unknown or untrusted CAs, server names that do not
match, etc.) are expected to cause some kind of alert from the browser.
So it came as something of a surprise to security researcher Guarang Pandya
that both regular HTTP and encrypted
HTTPS traffic were being re-routed when using the Xpress browser. Worse
yet, the certificate
presented for any site visited was not that of the site in question, it
was, instead, an ovi.com certificate. Ovi is Nokia's "brand" for its
internet services.
From some angles, this looks like a classic "man-in-the-middle"
attack, but
because the browser is complicit, Steve Schultze of the "Freedom to Tinker"
blog calls it a "man-in-the-client". The man in the client is
accepting a certificate for a Nokia proxy server instead of the site the
user wanted to connect to, without notifying the user. Meanwhile, the man
in the middle lives at the Nokia proxy server, which is making a connection
to the desired destination.
The proxy is used to speed up mobile browsing by using compression. It is
similar to what is done by the Opera Mini browser, which Pandya also noted
in his first report. But, Nokia was also using the proxy for HTTPS
traffic, which meant that it was decrypting the incoming stream at the
proxy and re-encrypting it, using the real destination's key, before
sending it onward.
Decrypting the HTTPS traffic from the mobile browser was not necessarily
required, depending on how Nokia implemented things. It could have
just relayed the traffic between the two endpoints by tunneling the traffic
inside a client-to-proxy session. That would not have required
decrypting the traffic, but it also would not have allowed the proxy to do
its compression on the data, obviating the need for the proxy.
Nokia, however, admitted
that it decrypted the traffic in a comment by Mark Durrant on Pandya's post:
Importantly, the proxy servers do not store the content of web pages
visited by our users or any information they enter into them. When
temporary decryption of HTTPS connections is required on our proxy servers,
to transform and deliver users' content, it is done in a secure manner.
The "secure manner" phrase does not completely reassure, but this does not
really look like an attempt to (knowingly) invade users' privacy.
Durrant noted that Nokia has "implemented appropriate
organizational and technical measures to prevent access to private
information". It seems quite likely that this was simply a misstep
by the company—one that could lead to a loss of privacy for Xpress users.
That interpretation seems to be borne out by changes that Nokia made to the
Xpress browser after Pandya's report. After a browser update, Pandya noted
that HTTPS sessions were not being handled in the same way. The HTTPS
traffic is now tunneled over an HTTP connection to Nokia's servers, and the
certificate being used (at least as reported by the browser) is the proper
one for the destination. So, only the destination endpoint should be able
to decrypt the data. Given that, though, it's not clear why the proxy is
not just bypassed for HTTPS traffic.
The "welcome" notice that comes when installing the Xpress browser does
make note of HTTPS decryption, though Schultze wonders how long that's been
true, but certainly doesn't fully describe what's going on. Many users are
likely to gloss over that statement—or not understand it at all.
While web compression is a helpful feature for some users, it shouldn't
come at the expense of reasonable security and privacy expectations.
As more of our traffic moves into "the cloud", we will be seeing more of
these kinds of problems. Investigations like Pandya's will be needed to
ensure that we at least know this type of network manipulation is
occurring. Open source mobile operating systems (or even just open source
browsers on proprietary systems) make it easier to find and eliminate this
kind of mistake, but vigilance is needed there as well. Reviewing the code
and ensuring that the "app" corresponds to the code reviewed are still required.
With open source, though, we can peek inside the black box, which should
make things easier—though not foolproof.
Comments (36 posted)
Brief items
Achieving any real security requires that password verification take on the
order of hundreds of milliseconds or even whole seconds. Unfortunately this
hasn't been the experience of the past 20 years. MD5 was launched over 20
years ago and is still the most common implementation I see in the wild,
though it's gone from being relatively expensive to evaluate to extremely
cheap. Moore's Law has indeed broken MD5 as a password hash and no serious
application should still use it. Human memory isn't more of a problem today
than it used to be though. The problem is that we've chosen to let password
verification become too cheap.
--
Joseph Bonneau
Beyond that, there's the fact that Facebook "likes" and profile settings
aren't necessarily accurate reflections of reality. A search for "Married
people who like Prostitutes" seems more likely to turn up people who
thought it would be funny to hit "like" on a page called "Prostitutes" than
actual johns. And note that those "Islamic men interested in men who live
in Tehran, Iran" all say they're interested in both males and females,
which probably just means that they interpreted "interested in" in a
non-sexual way and decided not to discriminate by gender. Still, I wouldn't
envy the hypothetical position of a Chinese citizen trying to convince
Communist Party agents that he hit "like" on the "Falun Gong" page
ironically or by accident.
--
Will
Oremus on Facebook's new search in
Slate
Comments (3 posted)
New vulnerabilities
freeradius2: authentication bypass
| Package(s): | freeradius2 |
CVE #(s): | CVE-2011-4966
|
| Created: | January 17, 2013 |
Updated: | February 7, 2013 |
| Description: |
From the Red Hat advisory:
It was found that the "unix" module ignored the password expiration
setting in "/etc/shadow". If FreeRADIUS was configured to use this module
for user authentication, this flaw could allow users with an expired
password to successfully authenticate, even though their access should have
been denied. (CVE-2011-4966)
|
| Alerts: |
|
Comments (none posted)
ganglia: PHP script execution
| Package(s): | ganglia |
CVE #(s): | CVE-2012-3448
|
| Created: | January 22, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Debian advisory:
Insufficient input sanitization in Ganglia, a web based monitoring system,
could lead to remote PHP script execution with permissions of the user running the web browser. |
| Alerts: |
|
Comments (none posted)
httpd: multiple vulnerabilities
| Package(s): | httpd |
CVE #(s): | CVE-2008-0455
CVE-2008-0456
|
| Created: | January 17, 2013 |
Updated: | February 12, 2013 |
| Description: |
From the Scientific Linux advisory:
Input sanitization flaws were found in the mod_negotiation module. A remote
attacker able to upload or create files with arbitrary names in a directory
that has the MultiViews options enabled, could use these flaws to conduct
cross-site scripting and HTTP response splitting attacks against users
visiting
the site. (CVE-2008-0455, CVE-2008-0456) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | linux |
CVE #(s): | CVE-2012-5532
|
| Created: | January 18, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Ubuntu advisory:
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2013-0190
|
| Created: | January 21, 2013 |
Updated: | March 15, 2013 |
| Description: |
From the Red Hat bugzilla:
A flaw was found in the way xen_failsafe_callback() handled failed iret,
which causes the stack pointer to be wrong when entering the
iret_exc error path. An unprivileged local guest user in the 32-bit PV
Xen domain could use this flaw to crash the guest. |
| Alerts: |
|
Comments (none posted)
kernel: information disclosure
| Package(s): | kernel |
CVE #(s): | CVE-2012-4467
|
| Created: | January 18, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Mageia advisory:
Commit 644595f89620 ("compat: Handle COMPAT_USE_64BIT_TIME in
net/socket.c") introduced a bug where the helper functions to take
either a 64-bit or compat time[spec|val] got the arguments in the
wrong order, passing the kernel stack pointer off as a user pointer
(and vice versa).
Because of the user address range check, that in turn then causes an
EFAULT due to the user pointer range checking failing for the kernel
address. Incorrectly resuling in a failed system call for 32-bit
processes with a 64-bit kernel.
On odder architectures like HP-PA (with separate user/kernel address
spaces), it can be used read kernel memory. |
| Alerts: |
|
Comments (none posted)
movabletype-opensource: command/SQL injection
| Package(s): | movabletype-opensource |
CVE #(s): | CVE-2013-0209
|
| Created: | January 22, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Debian advisory:
An input sanitation problem has been found in upgrade functions of
movabletype-opensource, a web-based publishing platform. Using carefully
crafted requests to the mt-upgrade.cgi file, it would be possible to inject OS command and SQL queries. |
| Alerts: |
|
Comments (none posted)
mysql: multiple vulnerabilities
Comments (none posted)
mysql: SQL command execution
| Package(s): | mysql-community-server |
CVE #(s): | CVE-2012-4414
|
| Created: | January 23, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the CVE entry:
Multiple SQL injection vulnerabilities in the replication code in Oracle MySQL possibly before 5.5.29, and MariaDB 5.1.x through 5.1.62, 5.2.x through 5.2.12, 5.3.x through 5.3.7, and 5.5.x through 5.5.25, allow remote authenticated users to execute arbitrary SQL commands via vectors related to the binary log. NOTE: as of 20130116, Oracle has not commented on claims from a downstream vendor that the fix in MySQL 5.5.29 is incomplete. |
| Alerts: |
|
Comments (none posted)
nagios: code execution
| Package(s): | nagios |
CVE #(s): | CVE-2012-6096
|
| Created: | January 23, 2013 |
Updated: | March 27, 2013 |
| Description: |
From the CVE entry:
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.
|
| Alerts: |
|
Comments (none posted)
php5: information disclosure
| Package(s): | php5 |
CVE #(s): | CVE-2012-6113
|
| Created: | January 22, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the CVE entry:
The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.
|
| Alerts: |
|
Comments (none posted)
rails: privilege escalation
| Package(s): | rails |
CVE #(s): | CVE-2013-0155
|
| Created: | January 17, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Debian advisory:
An interpretation conflict can cause the Active Record component of
Rails, a web framework for the Ruby programming language, to truncate
queries in unexpected ways. This may allow attackers to elevate their
privileges. |
| Alerts: |
|
Comments (none posted)
rpm: incorrect signature checking
| Package(s): | rpm |
CVE #(s): | CVE-2012-6088
|
| Created: | January 17, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that RPM incorrectly handled signature checking. An
attacker could create a specially-crafted rpm with an invalid signature
which could pass the signature validation check.
|
| Alerts: |
|
Comments (none posted)
sleuthkit: evade detection by forensic analysis
| Package(s): | sleuthkit |
CVE #(s): | CVE-2012-5619
|
| Created: | January 23, 2013 |
Updated: | February 7, 2013 |
| Description: |
From the Red Hat bugzilla:
A security flaw was found in the way the Sleuth Kit (TSK), a collection of UNIX-based command line tools allowing to investigate a computer, performed management of '.' (dotfile) file system entry. An attacker could use this flaw to evade detection by forensic analysis (hide certain files not to be scanned) by renaming the file in question it to be '.' file system entry.
The original reports speaks about this attack vector to be present when scanning FAT (File Allocation Table) file system. It is possible though, the flaw to be present on other file systems, which do not reserve usage of '.' entry for special purpose, too. |
| Alerts: |
|
Comments (none posted)
squirrelmail: denial of service
| Package(s): | squirrelmail |
CVE #(s): | CVE-2012-2124
|
| Created: | January 17, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the Red Hat advisory:
The SquirrelMail security update RHSA-2012:0103 did not, unlike the erratum
text stated, correct the CVE-2010-2813 issue, a flaw in the way
SquirrelMail handled failed log in attempts. A user preference file was
created when attempting to log in with a password containing an 8-bit
character, even if the username was not valid. A remote attacker could use
this flaw to eventually consume all hard disk space on the target
SquirrelMail server. (CVE-2012-2124) |
| Alerts: |
|
Comments (none posted)
vino: multiple vulnerabilities
| Package(s): | vino |
CVE #(s): | CVE-2011-1164
CVE-2011-1165
CVE-2012-4429
|
| Created: | January 22, 2013 |
Updated: | February 7, 2013 |
| Description: |
From the Red Hat advisory:
It was found that Vino transmitted all clipboard activity on the system
running Vino to all clients connected to port 5900, even those who had not
authenticated. A remote attacker who is able to access port 5900 on a
system running Vino could use this flaw to read clipboard data without
authenticating. (CVE-2012-4429)
In certain circumstances, the vino-preferences dialog box incorrectly
indicated that Vino was only accessible from the local network. This could
confuse a user into believing connections from external networks are not
allowed (even when they are allowed). With this update, vino-preferences no
longer displays connectivity and reachable information. (CVE-2011-1164)
There was no warning that Universal Plug and Play (UPnP) was used to open
ports on a user's network router when the "Configure network automatically
to accept connections" option was enabled (it is disabled by default) in
the Vino preferences. This update changes the option's description to avoid
the risk of a UPnP router configuration change without the user's consent.
(CVE-2011-1165) |
| Alerts: |
|
Comments (1 posted)
WebYaST: information disclosure
| Package(s): | WebYaST |
CVE #(s): | CVE-2012-0435
|
| Created: | January 23, 2013 |
Updated: | January 23, 2013 |
| Description: |
From the SUSE advisory:
The hosts list used by WebYaST for connecting to it's back
end part was modifiable allowing to point to a malicious
website which then could access all values sent by WebYaST.
The /host configuration path was removed to fix this issue. |
| Alerts: |
|
Comments (none posted)
xen: denial of service
| Package(s): | xen |
CVE #(s): | CVE-2012-5634
CVE-2013-0154
|
| Created: | January 23, 2013 |
Updated: | February 4, 2013 |
| Description: |
From the Red Hat bugzilla:
When passing a device which is behind a legacy PCI Bridge through to
a guest Xen incorrectly configures the VT-d hardware. This could allow
incorrect interrupts to be injected to other guests which also have
passthrough devices.
In a typical Xen system many devices are owned by domain 0 or driver
domains, leaving them vulnerable to such an attack. Such a DoS is
likely to have an impact on other guests running in the system.
On systems using Intel VT-d for PCI passthrough a malicious domain,
given access to a device which is behind a legacy PCI bridge, can
mount a denial of service attack affecting the whole system. |
| Alerts: |
|
Comments (none posted)
xorg-x11-apps: code execution
| Package(s): | xorg-x11-apps |
CVE #(s): | CVE-2011-2504
|
| Created: | January 17, 2013 |
Updated: | March 15, 2013 |
| Description: |
From the Red Hat advisory:
It was found that the x11perfcomp utility included the current working
directory in its PATH environment variable. Running x11perfcomp in an
attacker-controlled directory would cause arbitrary code execution with
the privileges of the user running x11perfcomp. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
