Security
Rule set based access control
SELinux has become, to many, the mechanism for high-security Linux deployments. The SELinux framework is considered sufficiently powerful, flexible, and universal that some developers have contemplated removing the Linux security module (LSM) interface altogether. When SELinux does everything, why have hooks for anything else? The fact of the matter, however, is that SELinux is not the only high-security approach out there. On September 27, version 1.2.5 of the Rule Set Based Access Control (RSBAC) patch was released. RSBAC has been around for several years, but it has never quite achieved the prominence of SELinux.Like SELinux, RSBAC inserts hooks throughout the kernel source. RSBAC does not use the LSM framework, however. This page explains why; in short, the RSBAC developer (Amon Ott) does not like how LSM exposes kernel internals to security modules, and the LSM hooks are not nearly extensive enough for RSBAC. In fact, RSBAC adds hooks in many places (individual device drivers, for example) where LSM does not tread. RSBAC hooks can also change system state in ways not allowed with the LSM framework.
With the hooks in place, RSBAC allows for several different access control regimes, all of which can be mixed and matched as desired. Available options include:
- Authenticated user: essentially a list of user IDs which may be
assumed by each process on the system. This module is required by
most other RSBAC security schemes.
- User
management: a replacement for the PAM and shadow mechanisms which
moves most of the user and group management tasks into the kernel.
- Role
compatibility: assigns roles to users and programs, and ensures
that they match at run time.
- Access
control lists: a variant of file ACLs which can take additional
RSBAC features (such as roles) into account.
- Mandatory
access control: assigns security levels to processes and objects,
and prevents access between different levels.
- Dazuko: a specialized interface for virus scanning applications. Dazuko creates a special purpose device which can be used to intercept file accesses; malware scans can then be performed before the access is allowed to succeed. There is a ClamAV interface to Dazuko.
There are several other models available, see the RSBAC models page for the full list. One thing that should be clear is that the RSBAC framework has been used to implement a wide variety of access control mechanisms. The project's long history suggests a stable user base, and RSBAC has been adopted by some distributions (including the Adamantix (formerly "Trusted Debian") and Hardened Gentoo projects). The non-LSM approach seems likely to keep RSBAC out of the mainline kernel indefinitely (nobody is even proposing merging it), but RSBAC appears to be a viable option regardless.
Brief items
RHEL 5 going for Common Criteria EAL 4 rating
Red Hat (along with IBM and Trusted Computer Solutions) has announced that the upcoming release of Red Hat Enterprise Linux is being evaluated for Common Criteria EAL 4 certification. "This CCEVS evaluation means Red Hat Enterprise Linux will reach a level of security previously achieved by only a handful of trusted operating systems. Red Hat Enterprise Linux is now positioned to provide best-of-breed security capabilities for commercial operating systems, offering the government, as well as businesses, unprecedented choice for security applications."
PwnZilla 5 Exploits IDN Link Buffer Overflow (MozillaZine)
MozillaZine reports that a recently developed Firefox IDN link buffer overflow vulnerability exploit has been developed. "The PwnZilla 5 code takes advantage of the international domain name (IDN) link buffer overflow flaw, details of which were published earlier this month. The weblog post says that the exploit code "could let attackers take complete control over computers cruising the Web with unpatched versions of the Firefox Internet browser". Previous public exploits for the vulnerability have been basic proof-of-concepts that simply crash the browser."
New vulnerabilities
courier: missing input sanitizing
| Package(s): | courier | CVE #(s): | CAN-2005-2820 | ||||||||
| Created: | September 26, 2005 | Updated: | October 11, 2005 | ||||||||
| Description: | Jakob Balle discovered that with "Conditional Comments" in Internet Explorer it is possible to hide javascript code in comments that will be executed when the browser views a malicious email via sqwebmail. Successful exploitation requires that the user is using Internet Explorer. | ||||||||||
| Alerts: |
| ||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CAN-2005-2874 | ||||||||
| Created: | September 22, 2005 | Updated: | September 28, 2005 | ||||||||
| Description: | CUPS has a vulnerability that can be triggered by processing corrupted HTTP requests. A remote user can use this to cause a denial of service. | ||||||||||
| Alerts: |
| ||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 22, 2005 | Updated: | February 15, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
HelixPlayer: arbitrary code execution
| Package(s): | HelixPlayer | CVE #(s): | CAN-2005-2710 | ||||||||||||||||||||||||||||
| Created: | September 27, 2005 | Updated: | October 10, 2005 | ||||||||||||||||||||||||||||
| Description: | A format string bug was discovered in the way HelixPlayer processes RealPix (.rp) files. It is possible for a malformed RealPix file to execute arbitrary code as the user running HelixPlayer. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
kernel: buffer overflow
| Package(s): | kernel | CVE #(s): | CAN-2005-2490 CAN-2005-2492 | ||||||||||||||||
| Created: | September 22, 2005 | Updated: | October 5, 2005 | ||||||||||||||||
| Description: | The Linux kernel has a stack-based buffer overflow problem in the sendmsg function. Local users may use this to execute arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: DoS vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-1767 CAN-2005-3044 | ||||||||
| Created: | September 26, 2005 | Updated: | September 28, 2005 | ||||||||
| Description: | A Denial of Service vulnerability was detected in the stack segment
fault handler. A local attacker could exploit this by causing stack
fault exceptions under special circumstances (scheduling), which lead
to a kernel crash. (CAN-2005-1767)
Vasiliy Averin discovered a Denial of Service vulnerability in the "tiocgdev" ioctl call and in the "routing_ioctl" function. By calling fget() and fput() in special ways, a local attacker could exploit this to destroy file descriptor structures and crash the kernel. (CAN-2005-3044) | ||||||||||
| Alerts: |
| ||||||||||
opera: script insertion attacks
| Package(s): | opera | CVE #(s): | CAN-2005-3006 CAN-2005-3007 | ||||
| Created: | September 26, 2005 | Updated: | September 28, 2005 | ||||
| Description: | Attached files are opened without any warnings directly from the user's cache directory. This can be exploited to execute arbitrary Javascript in context of "file://". Normally, filename extensions are determined by the "Content-Type" in Opera Mail. However, by appending an additional '.' to the end of a filename, an HTML file could be spoofed to be e.g. "image.jpg.". These two vulnerabilities combined may be exploited to conduct script insertion attacks if the user chooses to view an attachment named e.g. "image.jpg." e.g. resulting in disclosure of local files. These are fixed in Opera 8.50. | ||||||
| Alerts: |
| ||||||
qt: buffer overflow in zlib
| Package(s): | qt | CVE #(s): | |||||
| Created: | September 26, 2005 | Updated: | September 28, 2005 | ||||
| Description: | Qt links to a bundled vulnerable version of zlib when emerged with the zlib USE-flag disabled. This may lead to a buffer overflow. By creating a specially crafted compressed data stream, attackers can overwrite data structures for applications that use Qt, resulting in a Denial of Service or potentially arbitrary code execution. | ||||||
| Alerts: |
| ||||||
webmin, usermin: remote code execution through PAM authentication
| Package(s): | webmin usermin | CVE #(s): | CAN-2005-3042 | ||||||||
| Created: | September 26, 2005 | Updated: | October 7, 2005 | ||||||||
| Description: | Keigo Yamazaki discovered that the miniserv.pl webserver, used in both Webmin and Usermin, does not properly validate authentication credentials before sending them to the PAM (Pluggable Authentication Modules) authentication process. The default configuration shipped with Gentoo does not enable the "full PAM conversations" option and is therefore unaffected by this flaw. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>