Security
Wireless networking driver vulnerabilities
One of the major conveniences of wireless networking is its invisibility, but that is also one of its major weaknesses. A recent announcement of wireless driver flaws serves as a reminder that simply having a wireless card installed may be enough to allow unauthorized access. Unlike other network devices, there is no wire to remind the user that they may be making their computer vulnerable to malware.
Two security researchers used an open source tool called lorcon to send a large number of wireless packets to various wireless devices. They were looking to see if they could cause the drivers to fail when they received unexpected data. The result was that they found many flaws in the wireless drivers, including one that would allow a malicious user to take over a machine that was equipped with the vulnerable wireless card. Many of the driver flaws they found did not require that the user or wireless card actually be connected to the network to be exploited.
It is unclear whether this exploit is of concern to Linux users as the researchers are not releasing many details until their talk at the Black Hat conference on 2 August. It is clear, however, that this is an area that is ripe for exploitation on Linux as well as other platforms. Wireless cards do a lot of things invisibly in order to determine what other devices there are in the neighborhood and these actions are often completely outside of the control of the user.
Normally, open source drivers provide at least a path to quickly fix any security problems discovered -- unfortunately, this is not the case with many of the wireless drivers used on Linux systems. Wireless card manufacturers have so far been mostly unwilling to release enough information for kernel hackers to create full open source drivers for those devices. Because of this, many users are installing closed source drivers to access their wireless cards.
In some cases, users are installing Windows drivers and using NdisWrapper to link those into the Linux kernel. Because the wireless vendors are relatively likely to fix the windows drivers, this approach may provide a reasonably quick resolution to security problems. At least, that may be the case for currently-supported hardware, if the vulnerability does not originate in the interaction between the driver and ndiswrapper, and if the user knows to download and install the updated driver. It is likely that any closed source native Linux wireless driver would have a lower priority for a vendor to fix and therefore a security vulnerability might remain unpatched for a significant amount of time.
It is far better, of course, to use hardware which has open-source support. Vulnerabilities in open-source drivers should be fixed quickly, and those fixes will be made available by the distributor's package management system.
As wireless technology becomes more prevalent and more devices and protocols are deployed, it is clear that more exploits and vulnerabilities will be found. Italian researchers recently ran an experiment at the Milan airport to highlight the number of potentially exploitable Bluetooth devices they could find; in 23 hours were able to spot 1400 of them. Wireless manufacturers and standards committees do not seem to learn from the security flaws of the past and that will lead to exploits in the future.
New vulnerabilities
gimp: arbitrary code execution
| Package(s): | gimp | CVE #(s): | CVE-2006-3404 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 10, 2006 | Updated: | July 27, 2006 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | Henning Makholm discovered that gimp did not sufficiently validate the 'num_axes' parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user's privileges. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2006-2451 | ||||||||||||||||||||||||||||
| Created: | July 7, 2006 | Updated: | July 26, 2006 | ||||||||||||||||||||||||||||
| Description: | The Linux kernel, versions 2.6.13 through 2.6.17.3, has a privilege escalation vulnerability that is related to the handling of core dumps. Local users can create a program that can core dump to a directory that the user does not have permission to write to. This can be exploited for the use of a disk consumption denial of service attack, or the unauthorized gaining of root privileges. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
libmms: buffer overflows
| Package(s): | libmms | CVE #(s): | CVE-2006-2200 | ||||||||||||||||||||||||||||
| Created: | July 6, 2006 | Updated: | December 25, 2006 | ||||||||||||||||||||||||||||
| Description: | Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
ppp: privilege escalation
| Package(s): | ppp | CVE #(s): | CVE-2006-2194 | ||||||||||||||||
| Created: | July 6, 2006 | Updated: | August 14, 2006 | ||||||||||||||||
| Description: | Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
samba: memory exhaustion
| Package(s): | samba | CVE #(s): | CVE-2006-3403 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 11, 2006 | Updated: | July 26, 2006 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations, according to this advisory. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
shadow: privilege escalation
| Package(s): | passwd shadow | CVE #(s): | |||||
| Created: | July 6, 2006 | Updated: | July 12, 2006 | ||||
| Description: | Ilja van Sprundel discovered that passwd, when called with the -f, -g, or -s option, did not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes, a local attacker could exploit this to execute chfn, gpasswd, or chsh with root privileges. | ||||||
| Alerts: |
| ||||||
SHOUTcast server: multiple vulnerabilities
| Package(s): | shoutcast | CVE #(s): | |||||
| Created: | July 10, 2006 | Updated: | July 12, 2006 | ||||
| Description: | The SHOUTcast server is vulnerable to a file disclosure when the server receives a specially crafted GET request. Furthermore it also fails to sanitize the input passed to the "Description", "URL", "Genre", "AIM", and "ICQ" fields. It also has multiple cross-site scripting vulnerabilities. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>