By Jake Edge
July 3, 2013
The reporting of 1200 bugs, some of which may have security
implications, is
sure to overwhelm any distribution's bug handling abilities. So it was
rather helpful that Alexandre Rebert started out by posting to the debian-devel mailing list
rather than just flooding the bug tracker.
Beyond just the sheer number of bugs, though, there is a question of
dealing with so many potential security issues, which are generally handled
differently than regular bugs.
Rebert
and other security researchers at Carnegie Mellon University (CMU) found the bugs
in binaries from the Debian repositories using an automated bug finder
called Mayhem [PDF]
Mayhem is a closed-source research project at CMU CyLab that
uses symbolic execution on binary programs to find exploitable bugs in the
code.
It does its job by looking for load and store instructions that can be
influenced by the inputs to the program. It examines the paths
through the program using a "hybrid symbolic execution" mechanism that
combines normal execution of the program with symbolic execution of an
intermediate language representation that is created whenever a tainted
(i.e. dependent on
user input) branch condition is detected. The symbolic execution looks for
ways to exploit the tainted code and builds an exploit if it can. The
Mayhem paper goes into a lot more detail, perhaps enough for others to
reproduce the technique.
The bugs are "exploitable" in the sense that each crash can execute arbitrary
code. While code execution bugs are serious, the programs in question are
typically run by regular users from the shell, so being able to get a shell
(which is the usual proof of concept used by demonstration exploits as
well as by Mayhem) is not a huge accomplishment. But being able to get a
shell means that an exploit could do anything the user could do, including
exposing or deleting files, participating in a botnet, sending spam, and so
on. The exploits require specially crafted arguments and/or input files to
trigger the bugs, so users would have to be tricked into running the
programs that way.
Of course, any setuid programs or those accessible via the web or other
internet services are a much larger concern. That's not to downplay what
the Mayhem team has done in any way, but fuzzing has shown us that
arbitrary inputs to programs often lead to crashes—the trick is finding a
way to get users to provide crafted inputs that lead to an interesting (to
the attacker) result. Regardless, the bugs do need to be fixed, and
the Mayhem team has provided a wealth of information to do just that.
Each bug report comes with a tar file (an example for
gcov was provided with Rebert's message) that contains a script to
reproduce the problem, files containing the arguments and input that cause
the crash, the core dump, and more. Reports for each of the bugs were sent
to the appropriate Debian package maintainers, though some of those
addresses were
actually mailing lists, as Paul Wise pointed
out. That allows us to see some of the reports, including
one
for the nfsidmap binary in the nfs-common package. Rebert's
message also linked to a text file that lists
all of the affected packages and their maintainers.
There are almost certainly more bugs out there for Mayhem to find as the
team limited the search space of the tool, allowing just five minutes of
run time per binary. They also limit the bugs reported to one per binary
and five per package. There are likely to be plenty of duplicate bugs on
the list as well; bugs in libraries may well appear for multiple binaries.
And, of course, the bugs aren't limited to Debian, as many of the packages
will be in the repositories of lots of different distributions; all or
nearly all of them will not be Debian-specific at all.
Unfortunately, there is no automated way to extract addresses for the
upstream developers or mailing lists from the Debian packages. The bug
reports may ultimately need to make their way upstream, but the Mayhem team
couldn't find a way to do that, so they started with the Debian
maintainers. As Andreas
Tille noted, some
packages may have implemented the machine-readable debian/copyright
file, which might provide an upstream contact and email address. But,
for security reports, even that may not be the right place to send the
message.
But, in fact, Rebert has recognized that the
security tag on most of the proposed bug reports was probably not accurate. "It looks like a majority of the crashes have
little security implications", he said, so that tag will be removed
before the actual bug reports get submitted. It isn't clear that a
security contact would be needed in the majority of cases but, since Mayhem
sets out to find exploitable bugs, "responsible disclosure" might still
indicate that a security list or email should be used to report the problems.
The problem is, in some ways, similar to the question of where bugs should be filed that we
reported on last week. Which bug tracker (distribution or upstream) to use
is contentious enough when looking at single bugs reported by users; 1200
bugs increases the scale of the problem significantly. The clear
indication is that Mayhem can find lots more if it were given free rein,
though the duplicates need to eliminated or substantially reduced or the
team risks overwhelming distributions and upstreams.
The "huge pile of bugs" problem is a consequence of the closed-source
nature of Mayhem. If the tool were available to be used by various
projects' developers as part of their testing, the bugs could be
found and fixed in the normal course of development. Rebert mentioned the
possibility of creating some kind of Mayhem web service, but it would be
far more useful if the tool was free software (even "free as in beer" would
be better than the existing situation). Since public funds were used to
develop the tool, one might hope the public would get a bit more out of
that spending. The Mayhem paper mentions that the
US Defense Advanced Research Projects
Agency (DARPA) helped fund some of the work, but, alas, that funding doesn't
seem to come with a mandate to publish the source.
It's clear that running Mayhem on the 23,000 or so binaries found in the
Debian "Wheezy" repository has found real bugs, some of which are
"exploitable" in limited scenarios. Some are probably worse than that,
however, and as the tool gets improved, it may be able to narrow in on more
dangerous bugs. One might guess that CMU and the Mayhem developers plan
to commercialize Mayhem. That is, of course, their prerogative, but it is
unfortunate that tools like Mayhem and the Coverity static analyzer
(which came out of Stanford University)
are not free software tools. One suspects they would see much more
use—and, possibly,
improvement—if they were.
Comments (9 posted)
Brief items
If I could, I would repeal the Internet. It is the technological marvel of
the age, but it is not — as most people imagine — a symbol of
progress. Just the opposite. We would be better off without it. I grant its
astonishing capabilities: the instant access to vast amounts of
information, the pleasures of YouTube and iTunes, the convenience of GPS
and much more. But the Internet's benefits are relatively modest compared
with previous transformative technologies, and it brings with it a
terrifying danger: cyberwar.
—
Robert
J. Samuelson throws the baby out with the bath water
I find it hilarious that Redhat cripples their cryptographic security
software. In the sense that it makes me wonder about the rest of their
security processes and software. What the...
—
Jacob Appelbaum
The ancients, given a chance to observe today's intelligence and spying
brouhaha, would likely assert that the gods are laughing at us, finding
hilarious our public attempts at indignation not only over what is being
done, but our laughable efforts to pretend that we didn't know about it all
along.
—
Lauren Weinstein
The biological world is also open source in the sense that threats are
always present, largely unpredictable, and always changing. Because of
this, defensive measures that are perfectly designed for a particular
threat leave you vulnerable to other ones. Imagine if our immune system
were designed to deal only with a single strain of flu. In fact, our immune
system works because it looks for the full spectrum of invaders — low-level
viral infections, bacterial parasites, or virulent strains of a pandemic
disease. Too often, we create security measures — such as the Department of
Homeland Security's
BioWatch program — that spend too many resources to deal specifically with a very narrow range of threats on the risk spectrum.
—
Rafe Sagarin
Comments (7 posted)
Bluebox Security
claims
to have found a way to modify code contained within an Android application
package without breaking the associated cryptographic signature.
"
All Android applications contain cryptographic signatures, which
Android uses to determine if the app is legitimate and to verify that the
app hasn’t been tampered with or modified. This vulnerability makes it
possible to change an application’s code without affecting the
cryptographic signature of the application – essentially allowing a
malicious author to trick Android into believing the app is unchanged even
if it has been." The problem was evidently disclosed to Google in
February; details are promised at the
Black Hat USA
conference starting July 27.
Comments (2 posted)
New vulnerabilities
ffmpeg: multiple vulnerabilities
| Package(s): | ffmpeg |
CVE #(s): | CVE-2013-3671
CVE-2013-3672
CVE-2013-3673
CVE-2013-3674
|
| Created: | June 27, 2013 |
Updated: | July 3, 2013 |
| Description: |
From the Mageia advisory:
* CVE-2013-3671:
The format_line function in log.c in libavutil uses inapplicable offset
data during a certain category calculation, which allows remote attackers
to cause a denial of service (invalid pointer dereference and application
crash) via crafted data that triggers a log message.
* CVE-2013-3672:
The mm_decode_inter function in mmvideo.c in libavcodec does not validate
the relationship between a horizontal coordinate and a width value, which
allows remote attackers to cause a denial of service (out-of-bounds array
access and application crash) via crafted American Laser Games (ALG) MM
Video data.
* CVE-2013-3673:
The gif_decode_frame function in gifdec.c in libavcodec does not properly
manage the disposal methods of frames, which allows remote attackers to
cause a denial of service (out-of-bounds array access and application crash)
via crafted GIF data.
* CVE-2013-3674:
The cdg_decode_frame function in cdgraphics.c in libavcodec does not validate
the presence of non-header data in a buffer, which allows remote attackers to
cause a denial of service (out-of-bounds array access and application crash)
via crafted CD Graphics Video data.
|
| Alerts: |
|
Comments (none posted)
Foreman: multiple vulnerabilities
| Package(s): | Foreman |
CVE #(s): | CVE-2013-2113
CVE-2013-2121
|
| Created: | June 28, 2013 |
Updated: | July 3, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the create method of the Foreman Bookmarks controller.
A user with privileges to create a bookmark could use this flaw to execute
arbitrary code with the privileges of the user running Foreman, giving them
control of the system running Foreman (such as installing new packages) and
all systems managed by Foreman. (CVE-2013-2121)
A flaw was found in the way the Foreman UsersController controller handled
user creation. A non-admin user with privileges to create non-admin
accounts could use this flaw to create admin accounts, giving them control
of the system running Foreman (such as installing new packages) and all
systems managed by Foreman. (CVE-2013-2113) |
| Alerts: |
|
Comments (none posted)
openstack-keystone: authentication bypass
| Package(s): | openstack-keystone |
CVE #(s): | CVE-2013-2157
|
| Created: | June 28, 2013 |
Updated: | August 12, 2013 |
| Description: |
From the openSUSE bug report:
Jose Castro Leon from CERN reported a vulnerability in the way the
Keystone LDAP backend authenticates users. When provided with an empty
password, the backend would perform an anonymous LDAP bind that would
result in successfully authenticating the user. An attacker could
therefore easily impersonate and get valid tokens for any user. Only
Keystone setups using LDAP authentication backend are affected. |
| Alerts: |
|
Comments (none posted)
php-radius: buffer overflow
| Package(s): | php-radius |
CVE #(s): | CVE-2013-2220
|
| Created: | July 3, 2013 |
Updated: | July 26, 2013 |
| Description: |
From the Mandriva advisory:
Fix a security issue in radius_get_vendor_attr() by enforcing checks
of the VSA length field against the buffer size. |
| Alerts: |
|
Comments (none posted)
python-keystoneclient: password disclosure
| Package(s): | python-keystoneclient |
CVE #(s): | CVE-2013-2013
|
| Created: | June 28, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the openSUSE bug report:
OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process. |
| Alerts: |
|
Comments (none posted)
python-keystoneclient: multiple vulnerabilities
| Package(s): | python-keystoneclient |
CVE #(s): | CVE-2013-2166
CVE-2013-2167
|
| Created: | June 28, 2013 |
Updated: | July 3, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way python-keystoneclient handled encrypted data
from memcached. Even when the memcache_security_strategy setting in
"/etc/swift/proxy-server.conf" was set to ENCRYPT to help prevent
tampering, an attacker on the local network, or possibly an unprivileged
user in a virtual machine hosted on OpenStack, could use this flaw to
bypass intended restrictions and modify data in memcached that will later
be used by services utilizing python-keystoneclient (such as Nova, Cinder,
Swift, Glance, and so on). (CVE-2013-2166)
A flaw was found in the way python-keystoneclient verified data from
memcached. Even when the memcache_security_strategy setting in
"/etc/swift/proxy-server.conf" was set to MAC to perform signature
checking, an attacker on the local network, or possibly an unprivileged
user in a virtual machine hosted on OpenStack, could use this flaw to
modify data in memcached that will later pass signature checking in
python-keystoneclient. (CVE-2013-2167) |
| Alerts: |
|
Comments (none posted)
ruby: SSL server spoofing
| Package(s): | ruby |
CVE #(s): | CVE-2013-4073
|
| Created: | June 28, 2013 |
Updated: | August 6, 2013 |
| Description: |
From the Ruby advisory:
When a CA a SSL client trusts allows to issue the server certificate that has null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org\0.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do man-in-the-middle between Ruby’s SSL client and SSL servers. |
| Alerts: |
|
Comments (none posted)
wireshark: two dissector vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2013-4079
CVE-2013-4080
|
| Created: | June 27, 2013 |
Updated: | September 30, 2013 |
| Description: |
From the Mageia advisory:
The GSM CBCH dissector could crash (CVE-2013-4079).
The Assa Abloy R3 dissector could consume excessive memory and CPU
(CVE-2013-4080). |
| Alerts: |
|
Comments (none posted)
wordpress: multiple vulnerabilities
| Package(s): | wordpress |
CVE #(s): | CVE-2013-2173
CVE-2013-2199
CVE-2013-2200
CVE-2013-2201
CVE-2013-2202
CVE-2013-2203
CVE-2013-2204
CVE-2013-2205
|
| Created: | July 2, 2013 |
Updated: | July 3, 2013 |
| Description: |
From the Mageia advisory:
A denial of service flaw was found in the way Wordpress, a blog tool and
publishing platform, performed hash computation when checking password for
password protected blog posts. A remote attacker could provide a specially-
crafted input that, when processed by the password checking mechanism of
Wordpress would lead to excessive CPU consumption (CVE-2013-2173).
Inadequate SSRF protection for HTTP requests where the user can provide a
URL can allow for attacks against the intranet and other sites. This is a
continuation of work related to CVE-2013-0235, which was specific to SSRF
in pingback requests and was fixed in 3.5.1 (CVE-2013-2199).
Inadequate checking of a user's capabilities could allow them to publish
posts when their user role should not allow for it; and to assign posts to
other authors (CVE-2013-2200).
Inadequate escaping allowed an administrator to trigger a cross-site
scripting vulnerability through the uploading of media files and plugins
(CVE-2013-2201).
The processing of an oEmbed response is vulnerable to an XXE
(CVE-2013-2202).
If the uploads directory is not writable, error message data returned via
XHR will include a full path to the directory (CVE-2013-2203).
Content Spoofing in the MoxieCode (TinyMCE) MoxiePlayer project
(CVE-2013-2204).
Cross-domain XSS in SWFUpload (CVE-2013-2205). |
| Alerts: |
|
Comments (none posted)
xdm: denial of service
| Package(s): | xdm |
CVE #(s): | CVE-2013-2179
|
| Created: | July 2, 2013 |
Updated: | July 3, 2013 |
| Description: |
From the openSUSE advisory:
xdm was updated on crypt() NULL pointer crashes:
* Starting with glibc 2.17 (eglibc 2.17), crypt() fails
with EINVAL (w/ NULL return) if the salt violates
specifications. Additionally, on FIPS-140 enabled Linux
systems, DES/MD5-encrypted passwords passed to crypt()
fail with EPERM (w/ NULL return). If using glibc's
crypt(), check return value to avoid a possible NULL
pointer dereference. |
| Alerts: |
|
Comments (none posted)
xen: multiple vulnerabilities
| Package(s): | xen |
CVE #(s): | CVE-2013-2211
CVE-2013-1432
|
| Created: | July 2, 2013 |
Updated: | July 19, 2013 |
| Description: |
From the Mageia advisory:
CVE-2013-2211: libxl allows guest write access to sensitive console related xenstore keys
CVE-2013-1432: Page reference counting error due to XSA-45/CVE-2013-1918 fixes |
| Alerts: |
|
Comments (none posted)
xml-security-c: code execution
| Package(s): | xml-security-c |
CVE #(s): | CVE-2013-2210
|
| Created: | June 28, 2013 |
Updated: | July 3, 2013 |
| Description: |
From the Debian advisory:
Jon Erickson of iSIGHT Partners Labs discovered a heap overflow in
xml-security-c, an implementation of the XML Digital Security
specification. The fix to address CVE-2013-2154 introduced the
possibility of a heap overflow in the processing of malformed XPointer
expressions in the XML Signature Reference processing code, possibly
leading to arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
