|
|
| |
|
| |
Security
By Jake Edge
January 30, 2013
SCSI command filtering has been the source of a number of Linux kernel
problems over the
years. In order to allow unprivileged users to have access to the commands
needed for
playing and burning CDs/DVDs, for example, the privilege requirement for
sending SCSI commands was lowered. But that, in turn, caused
problems where those unprivileged users could issue commands that were rather
dangerous, including some that could destroy devices entirely. That led
to a SCSI command whitelist being added to
the 2.6.8 kernel, way back in 2004.
That whitelisting approach has itself proved problematic to the point
where it was proposed for removal in 2006;
that proposal failed due to
strong opposition from Linus Torvalds. A privilege escalation vulnerability that was
found in late 2011 is a more recent example where the filtering wasn't
strict enough. Another hole has recently been discovered; Paolo Bonzini
has posted a patch set to close the hole, while also
addressing some other deficiencies in the SCSI command filtering.
The hole is CVE-2012-4542,
which is caused by SCSI commands that overlap between device classes. The
existing filter is set up to distinguish between devices opened for
read-only and those opened for read-write. But in some cases the same command
opcode will write to one kind of a device while it will read from some
other type. For example, the READ SUB-CHANNEL (0x42) command for an MMC
(CD or DVD) device is the same as the UNMAP command on a disk. So, using
the command to
request the sub-channel information for an audio CD would result in unmapping
logical blocks if sent to a disk.
There are other examples cited in the bug report and patches, but the basic
problem stems from the filtering not being aware of the destination device
class.
Without that information, it is not possible to be sure which opcodes
are actually read-only and which will write to the device. The first part
of Bonzini's patch set restructures the filter table to associate the device
class and direction (read or write) with each command. He also changes
blk_verify_command() to use the device class and new table.
Another chunk of the patch set adds more entries to the table both to add
"rare & obsolete device types" and more whitelisted
commands for existing device types.
The last piece of the set (beyond a minor cleanup) adds the ability to turn
off the whitelist on a
per-device basis. Currently, a process can be given the
CAP_SYS_RAWIO capability, which will allow it to send any SCSI
command to any device. But that makes for fairly coarse-grained control
because it allows access to all devices. In addition,
CAP_SYS_RAWIO may be used to
elevate privileges, which may argue against its use.
Bonzini adds a new sysfs file,
/sys/block/<device>/unpriv_sgio, if it is set to '1', the
command filter will be bypassed for any file descriptor that is not
read-only. This can be
used to pass suitable file descriptors to trusted processes, as described
in the patch:
This is useful for virtualization, where some trusted guests would like
to send commands such as persistent reservations, but still the virtual
machine monitor should run with restricted permissions.
Other than some fairly minor quibbles from Tejun Heo, there have been no
comments on the patch set. Given that it fixes a CVE, it seems likely to
be picked up fairly soon (even if the CVE number in the patch subject may
get lost in translation to
Torvalds's Git tree). The other pieces of the patch set are perhaps less
important, but seem relatively uncontroversial.
Allowing non-root users to access hardware more or less directly is always
problematic from a security standpoint. There is always tension, though,
because users have strong ideas about how they want to use their systems.
The history of the SCSI command whitelist shows that it is rather difficult
to find the right balance between protecting the system and its hardware,
and making a system that is usable—at least for some definitions of "usable".
Comments (none posted)
Brief items
That's security in today's world. We have no choice but to trust
Microsoft. Microsoft has reasons to be trustworthy, but they also have
reasons to betray our trust in favor of other interests. And all we can do
is ask them nicely to tell us first.
-- Bruce
Schneier on the Open Letter
to Skype
That said, recently made security "improvements" to Java
SE 7 software don't prevent silent exploits at all. Users
that require Java content in the web browser need to rely
on a Click to Play technology implemented by several web
browser vendors in order to mitigate the risk of a silent
Java Plugin exploit.
-- Adam
Gowdiak is unimpressed with recent Java security updates
Newegg refuses to settle in cases like this, even when it would be cheaper
to settle than to fight. They beat the hell out of Soverain, killed their
patent, and freed not just themselves, but all the firms that faced
potential extortion from them -- and all of us, who will pay higher prices
to keep these ticks nicely, comfortably bloated with their parasitic gains.
-- Cory Doctorow
We require that government agencies conducting criminal investigations use
a search warrant to compel us to provide a user's search query information
and private content stored in a Google Account—such as Gmail messages,
documents, photos and YouTube videos. We believe a warrant is required by
the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable
search and seizure and overrides conflicting provisions in ECPA [Electronic
Communications Privacy Act].
-- Google
Comments (10 posted)
The Greatfire.org site has a
detailed analysis of a man-in-the-middle attack apparently directed
against Chinese Github users. " It’s clear that a lot of software
developers in China rely on GitHub for their code sharing. Completely
cutting access affects big business. GitHub may just be too important to
block. That leaves the authorities in a real pickle. They can’t
selectively block content on GitHub nor monitor what users are doing
there. They also cannot block the website altogether lest they hurt
important Chinese companies. This is where man-in-the-middle attacks make
their entrance. By faking SSL certificates, the authorities can indeed
intercept and track traffic to encrypted websites."
Comments (21 posted)
New vulnerabilities
corosync: denial of service
| Package(s): | corosync |
CVE #(s): | |
| Created: | January 30, 2013 |
Updated: | January 30, 2013 |
| Description: |
Corosync v2.3.0 fixes a potential denial of service, because HMAC was used without a key. |
| Alerts: |
|
Comments (none posted)
cronie: file descriptor leak
| Package(s): | cronie |
CVE #(s): | CVE-2012-6097
|
| Created: | January 29, 2013 |
Updated: | April 5, 2013 |
| Description: |
From the openSUSE advisory:
cron: does not close file descriptors
before invocation of commands. See this bug report for more information. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal7, drupal6 |
CVE #(s): | |
| Created: | January 28, 2013 |
Updated: | March 6, 2013 |
| Description: |
From the Red Hat bugzilla:
Drupal upstream has released 6.28 and 7.19 versions to correct multiple security issues. See the Drupal advisory for SA-CORE-2013-001. |
| Alerts: |
|
Comments (none posted)
glance: information leak
| Package(s): | glance |
CVE #(s): | CVE-2013-0212
|
| Created: | January 30, 2013 |
Updated: | February 14, 2013 |
| Description: |
From the Ubuntu advisory:
Dan Prince discovered an issue in Glance error reporting. An authenticated
attacker could exploit this to expose the Glance operator's Swift
credentials for a misconfigured or otherwise unusable Swift endpoint. |
| Alerts: |
|
Comments (none posted)
inkscape: unintended file access
| Package(s): | inkscape |
CVE #(s): | CVE-2012-6076
|
| Created: | January 30, 2013 |
Updated: | February 14, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that Inkscape attempted to open certain files from the
/tmp directory instead of the current directory. A local attacker could
trick a user into opening a different file than the one that was intended. |
| Alerts: |
|
Comments (none posted)
ipa: authentication bypass
| Package(s): | ipa |
CVE #(s): | CVE-2012-5484
|
| Created: | January 24, 2013 |
Updated: | February 25, 2013 |
| Description: |
From the Red Hat advisory:
A weakness was found in the way IPA clients communicated with IPA servers
when initially attempting to join IPA domains. As there was no secure way
to provide the IPA server's Certificate Authority (CA) certificate to the
client during a join, the IPA client enrollment process was susceptible to
man-in-the-middle attacks. This flaw could allow an attacker to obtain
access to the IPA server using the credentials provided by an IPA client,
including administrative access to the entire domain if the join was
performed using an administrator's credentials. (CVE-2012-5484)
Note: This weakness was only exposed during the initial client join to the
realm, because the IPA client did not yet have the CA certificate of the
server. Once an IPA client has joined the realm and has obtained the CA
certificate of the IPA server, all further communication is secure. If a
client were using the OTP (one-time password) method to join to the realm,
an attacker could only obtain unprivileged access to the server (enough to
only join the realm).
|
| Alerts: |
|
Comments (none posted)
ircd-ratbox: denial of service
| Package(s): | ircd-ratbox |
CVE #(s): | CVE-2012-6084
|
| Created: | January 25, 2013 |
Updated: | February 11, 2013 |
| Description: |
From the Debian advisory:
It was discovered that a bug in the server capability negotiation code of
ircd-ratbox could result in denial of service.
|
| Alerts: |
|
Comments (none posted)
libav: multiple vulnerabilities
| Package(s): | libav ffmpeg |
CVE #(s): | CVE-2012-2783
CVE-2012-2791
CVE-2012-2797
CVE-2012-2803
CVE-2012-2804
|
| Created: | January 28, 2013 |
Updated: | February 18, 2013 |
| Description: |
From the CVE entries:
Unspecified vulnerability in libavcodec/vp56.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to "freeing the returned frame." (CVE-2012-2783)
Multiple unspecified vulnerabilities in the (1) decode_band_hdr function in indeo4.c and (2) ff_ivi_decode_blocks function in ivi_common.c in libavcodec/ in FFmpeg before 0.11 have unknown impact and attack vectors, related to the "transform size." (CVE-2012-2791)
Unspecified vulnerability in the decode_frame_mp3on4 function in libavcodec/mpegaudiodec.c in FFmpeg before 0.11 has unknown impact and attack vectors related to a calculation that prevents a frame from being "large enough." (CVE-2012-2797)
Double free vulnerability in the mpeg_decode_frame function in libavcodec/mpeg12.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to resetting the data size value. (CVE-2012-2803)
Unspecified vulnerability in libavcodec/indeo3.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to "reallocation code" and the luma height and width. (CVE-2012-2804) |
| Alerts: |
|
Comments (none posted)
libssh: denial of service
| Package(s): | libssh |
CVE #(s): | CVE-2013-0176
|
| Created: | January 28, 2013 |
Updated: | March 29, 2013 |
| Description: |
From the Ubuntu advisory:
Yong Chuan Koh discovered that libssh incorrectly handled certain
negotiation requests. A remote attacker could use this to cause libssh to
crash, resulting in a denial of service. |
| Alerts: |
|
Comments (none posted)
libvirt: code execution as root
| Package(s): | libvirt |
CVE #(s): | CVE-2013-0170
|
| Created: | January 29, 2013 |
Updated: | February 22, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way libvirtd handled connection cleanup (when a
connection was being closed) under certain error conditions. A remote
attacker able to establish a read-only connection to libvirtd could use
this flaw to crash libvirtd or, potentially, execute arbitrary code with
the privileges of the root user. |
| Alerts: |
|
Comments (none posted)
mingw-freetype: multiple vulnerabilities
| Package(s): | mingw-freetype |
CVE #(s): | CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
|
| Created: | January 28, 2013 |
Updated: | January 30, 2013 |
| Description: |
From the CVE entries:
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font. (CVE-2012-1126)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font. (CVE-2012-1127)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font. (CVE-2012-1128)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font. (CVE-2012-1130)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font. (CVE-2012-1131)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font. (CVE-2012-1132)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font. (CVE-2012-1133)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font. (CVE-2012-1134)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font. (CVE-2012-1135)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field. (CVE-2012-1136)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font. (CVE-2012-1137)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font. (CVE-2012-1138)
Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font. (CVE-2012-1139)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object. (CVE-2012-1140)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font. (CVE-2012-1141)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font. (CVE-2012-1142)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font. (CVE-2012-1143)
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font. (CVE-2012-1144)
|
| Alerts: |
|
Comments (none posted)
moodle: man-in-the-middle attack
| Package(s): | moodle |
CVE #(s): | CVE-2012-6087
|
| Created: | January 28, 2013 |
Updated: | April 3, 2013 |
| Description: |
From the Red Hat bugzilla:
A security flaw was found in the way Moodle, a course management system (CMS), used (lib)cURL's CURLOPT_SSL_VERIFYHOST variable, when doing certificate validation (value of '1' meaning only check for the existence of a common name was used instead of value '2' - which also checks if the particular common name matches the requested hostname of the server). A rogue service could use this flaw to conduct man-in-the-middle (MiTM) attacks. |
| Alerts: |
|
Comments (none posted)
nova: access controls bypass
| Package(s): | nova |
CVE #(s): | CVE-2013-0208
|
| Created: | January 30, 2013 |
Updated: | February 10, 2013 |
| Description: |
From the Ubuntu advisory:
Phil Day discovered that nova-volume did not validate access to volumes. An
authenticated attacker could exploit this to bypass intended access
controls and boot from arbitrary volumes. |
| Alerts: |
|
Comments (none posted)
perl: code execution
| Package(s): | perl |
CVE #(s): | CVE-2012-6329
|
| Created: | January 25, 2013 |
Updated: | February 19, 2013 |
| Description: |
From the Red Hat bugzilla entry:
A commit to the upstream perl git repository indicated that perl's Locale::Maketext was vulnerable to a flaw that could lead to arbitrary code execution of this function was executed on user-supplied input. Quoting the commit message:
Case 61251: This commit fixes a misparse of maketext strings that could
lead to arbitrary code execution. Basically, maketext was compiling
bracket notation into functions, but neglected to escape backslashes
inside the content or die on fully-qualified method names when
generating the code. This change escapes all such backslashes and dies
when a method name with a colon or apostrophe is specified. |
| Alerts: |
|
Comments (none posted)
php-symfony2-Yaml: code execution
| Package(s): | php-symfony2-Yaml |
CVE #(s): | CVE-2013-1348
CVE-2013-1397
|
| Created: | January 28, 2013 |
Updated: | February 4, 2013 |
| Description: |
From the Symfony advisory:
When parsing an input with Yaml::parse(), and if the input is a valid filename, the input is evaluated as a PHP file before being parsed as YAML. If the input comes from an untrusted source, malicious code might be executed.
Symfony applications are not vulnerable to this attack but if you are parsing YAML with the YAML component in your application, check that your code does not pass untrusted input to Yaml::parse(). Note that Yaml\Parser::parse() is not affected. (CVE-2013-1348)
The Symfony YAML component supports PHP objects parsing and dumping (via the !!php/object: XXX notation).
When parsing an untrusted input that contains a serialized PHP object, it will be unserialized by default, which can lead to malicious code being executed.
Symfony applications are not vulnerable to this attack but if you are parsing YAML in your application, check that your code does not pass untrusted input to Yaml::parse() or Yaml\Parser::parse(). (CVE-2013-1397) |
| Alerts: |
|
Comments (none posted)
rubygem-activesupport: multiple vulnerabilities
| Package(s): | rubygem-activesupport |
CVE #(s): | CVE-2013-0333
|
| Created: | January 29, 2013 |
Updated: | February 10, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. |
| Alerts: |
|
Comments (none posted)
rubygem-multi_xml: code execution
| Package(s): | rubygem-multi_xml |
CVE #(s): | CVE-2013-0175
|
| Created: | January 25, 2013 |
Updated: | January 30, 2013 |
| Description: |
From the Red Hat bugzilla entry:
A security flaw was found in the way multi_xml gem, a Ruby gem to provide swappable XML backends utilizing LibXML, Nokogiri, Ox, or REXML, performed Symbol and YAML parameters parsing. A remote attacker could use this flaw to execute arbitrary code with the privileges of the Ruby on Rails application using the multi_xml gem via specially-crafted HTTP POST request.
|
| Alerts: |
|
Comments (none posted)
rubygem-rack: multiple vulnerabilities
| Package(s): | rubygem-rack |
CVE #(s): | CVE-2012-6109
CVE-2013-0183
CVE-2013-0184
|
| Created: | January 28, 2013 |
Updated: | March 15, 2013 |
| Description: |
From the Red Hat bugzilla [1], [2], [3]:
[1] Upstream released Rack 1.4.2, 1.3.7, 1.2.6, and 1.1.4 to fix a denial of service condition when Rack parses content with a certain Content-Disposition header as noted in the original report. (CVE-2012-6109)
[2] Upstream released [1] Rack 1.4.3 and 1.3.8 to fix a denial of service condition due to a malicious client sending excessively long lines that trigger an out-of-memory error in Rack. (CVE-2013-0183)
[3] A flaw that was fixed in 1.4.4, 1.3.9, 1.2.7, and 1.1.5 was also announced that creates a minor denial of service condition, this time in the Rack::Auth::AbstractRequest, where it symbolized arbitrary strings (apparently this has something to do with authentication, but there is no further information provided other than the fix itself, which is noted as "a breaking API change"). (CVE-2013-0184)
|
| Alerts: |
|
Comments (none posted)
samba4: privilege escalation
| Package(s): | samba4 |
CVE #(s): | CVE-2013-0172
|
| Created: | January 25, 2013 |
Updated: | February 5, 2013 |
| Description: |
From the Red Hat bugzilla entry:
Samba 4.0 as an AD DC may provide authenticated users with write access to LDAP directory objects.
In AD, Access Control Entries can be assigned based on the objectClass of the object. If a user or a group the user is a member of has any access based on the objectClass, then that user has write access to that object.
Additionally, if a user has write access to any attribute on the object, they may have access to write to all attributes.
|
| Alerts: |
|
Comments (none posted)
zabbix: LDAP authentication override
| Package(s): | zabbix |
CVE #(s): | CVE-2013-1364
|
| Created: | January 28, 2013 |
Updated: | January 30, 2013 |
| Description: |
From the Red Hat bugzilla:
It was reported that the user.login method in Zabbix would accept a 'cnf' parameter containing the configuration parameters to use for LDAP authentication, which would override the configuration stored in the database. This can be used to authenticate to Zabbix using a completely different LDAP application (e.g. authenticate to Zabbix using some other LDAP directory the attacker has credentials for).
This has been corrected in upstream versions 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|