Security
Brief items
CROSS: A step towards better open source security
Finnish security company Codenomicon announced a new initiative to assist open source software projects in finding security flaws. The Codenomicon Robust Open Source Software (CROSS) program is targeted at projects that are part of the infrastructure of the internet and by making their proprietary testing tools available to the projects, they hope to find critical security flaws before attackers do.For Codenomicon, this is their second foray into assisting open source projects. In 2004, their tools were used by Red Hat engineers to find denial of service vulnerabilities (here and here) in Apache and OpenSSL. Unlike the previous effort, the CROSS program aims to work directly with the projects, allowing them to use the tools to find flaws. They are currently working with around 20 hand-picked projects, but Codenomicon hopes to add more projects down the road.
The projects selected represent diverse network protocols, with voice over IP, network storage, and routing specifically mentioned as participants. Lack of prior testing as well as "interesting" protocols were also cited as criteria used to help select the participants. The list of specific CROSS projects is not publicly available as both Codenomicon and the projects themselves are concerned that participants would suffer from increased 'black hat' scrutiny if they were identified.
Codenomicon's product line is a suite of network protocol testing tools called DEFENSICS that are an outgrowth of research done at the University of Oulu in the Secure Programming Group (OUSPG). The PROTOS project produced free software for protocol testing that is still available and is "widely used" according to Codenomicon CTO Ari Takanen. PROTOS is based around the idea of proactive protocol testing by injecting unexpected input into a protocol stream; in essence, fuzzing with some smarts behind the generated test data.
Codenomicon observed that free tools did not get the same attention from management that was given to relatively expensive commercial tools and DEFENSICS bridges that gap. In addition, the DEFENSICS suite builds upon the lessons learned with PROTOS, extending and enhancing the basic concept while making it faster. Because of their research background and some level of altruism, Codenomicon wants to give back to the open source community and CROSS is their means of doing that. Obviously they are hoping to gain some name recognition and good press, but they also seem to have a real interest in helping to secure the internet by finding flaws proactively.
Open source projects can generally use all the help they can get when it comes to finding security flaws. It is accepted as an article of faith that "many eyes make all bugs shallow", but that only works when those eyes actually focus on a particular project. Just opening the source does not magically attract the attention of security minded developers and that makes projects like CROSS very useful. The Codenomicon tools (and PROTOS before that) have been successful in finding flaws in the past and one can hope that this effort will similarly bear fruit. With luck we will see a number of security bug reports over the next few months that will credit CROSS. This effort is reminiscent of the Coverity's code analysis tools being used to assist open source projects and hopefully more companies decide to use our code as a testbed for their tools; it can only help both to get better.
Security reports
Fortify Software documents Web 2.0 vulnerability
Fortify Software has announced the release of a new security advisory on JavaScript Hijacking. "Fortify Software, the leading provider of security products that help companies identify, manage and remediate software vulnerabilities, today announced that its Security Research Group has documented the first major vulnerability associated specifically with Web 2.0 and AJAX-style software. Termed JavaScript Hijacking, the vulnerability allows an attacker to steal critical data by emulating unsuspecting users. To combat this issue, Fortify has released an in-depth security advisory that details this vulnerability, how enterprises can determine if they are vulnerable and how they can fix the issue."
New vulnerabilities
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk | CVE #(s): | CVE-2007-1561 CVE-2007-1594 | ||||||||||||
| Created: | April 3, 2007 | Updated: | August 27, 2007 | ||||||||||||
| Description: | The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ImageMagick: DCM and XWD buffer overflows
| Package(s): | imagemagick | CVE #(s): | CVE-2007-1719 | ||||||||
| Created: | April 3, 2007 | Updated: | April 4, 2007 | ||||||||
| Description: | iDefense Labs reports several buffer overflow vulnerabilities in ImageMagick version 6.3.x.. | ||||||||||
| Alerts: |
| ||||||||||
ImageMagick: integer overflows
| Package(s): | imagemagick | CVE #(s): | CVE-2007-1797 | ||||||||||||||||||||||||||||||||||||||||
| Created: | April 4, 2007 | Updated: | August 11, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
kdelibs: bug in FTP protocol
| Package(s): | kdelibs | CVE #(s): | CVE-2007-1564 | ||||
| Created: | March 30, 2007 | Updated: | April 4, 2007 | ||||
| Description: | The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in a FTP PASV command. | ||||||
| Alerts: |
| ||||||
krb5: multiple vulnerabilities
| Package(s): | krb5 | CVE #(s): | CVE-2007-0956 CVE-2007-0957 CVE-2007-1216 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 3, 2007 | Updated: | March 24, 2008 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. MIT krb5 Security Advisory 2007-002 A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. MIT krb5 Security Advisory 2007-003 | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
OpenPBS: multiple vulnerabilities
| Package(s): | openpbs | CVE #(s): | CVE-2006-5616 | ||||
| Created: | April 4, 2007 | Updated: | April 4, 2007 | ||||
| Description: | SUSE reported vulnerabilities due to unspecified errors in OpenPBS. An attacker might be able execute arbitrary code with the privileges of the user running openpbs, which might be the root user. | ||||||
| Alerts: |
| ||||||
qt: "/../" injection
| Package(s): | qt | CVE #(s): | CVE-2007-0242 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 4, 2007 | Updated: | September 13, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Andreas Nolden discovered a bug in qt3, where the UTF8 decoder does not reject overlong sequences, which can cause "/../" injection or (in the case of konqueror) a "<script>" tag injection. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
XFree86 X.org: integer overflows
| Package(s): | xfree86 x.org | CVE #(s): | CVE-2007-1003 CVE-2007-1667 CVE-2007-1351 CVE-2007-1352 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 3, 2007 | Updated: | August 11, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | iDefense reported an integer overflow flaw in the XFree86 XC-MISC
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash) or potentially execute arbitrary code with root
privileges on the XFree86 server. (CVE-2007-1003)
iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the XFree86 XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
zope: cross-site scripting
| Package(s): | zope | CVE #(s): | CVE-2007-0240 | ||||
| Created: | April 3, 2007 | Updated: | April 5, 2007 | ||||
| Description: | A cross-site scripting vulnerability in Zope, a web application server, could allow an attacker to inject arbitrary HTML and/or JavaScript into the victim's web browser by using unspecified vectors in a HTTP GET request. This code would run within the security context of the web browser, potentially allowing the attacker to access private data such as authentication cookies, or to affect the rendering or behavior of Zope web pages. | ||||||
| Alerts: |
| ||||||
zziplib: buffer overflow
| Package(s): | zziplib | CVE #(s): | CVE-2007-1614 | ||||||||||||
| Created: | April 4, 2007 | Updated: | September 5, 2007 | ||||||||||||
| Description: | dmcox discovered a boundary error in the zzip_open_shared_io() function from zzip/file.c . A remote attacker could entice a user to run a zziplib function with an overly long string as an argument which would trigger the buffer overflow and may lead to the execution of arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>