User: Password:
Subscribe / Log in / New account


Brief items

CROSS: A step towards better open source security

April 4, 2007

This article was contributed by Jake Edge.

Finnish security company Codenomicon announced a new initiative to assist open source software projects in finding security flaws. The Codenomicon Robust Open Source Software (CROSS) program is targeted at projects that are part of the infrastructure of the internet and by making their proprietary testing tools available to the projects, they hope to find critical security flaws before attackers do.

For Codenomicon, this is their second foray into assisting open source projects. In 2004, their tools were used by Red Hat engineers to find denial of service vulnerabilities (here and here) in Apache and OpenSSL. Unlike the previous effort, the CROSS program aims to work directly with the projects, allowing them to use the tools to find flaws. They are currently working with around 20 hand-picked projects, but Codenomicon hopes to add more projects down the road.

The projects selected represent diverse network protocols, with voice over IP, network storage, and routing specifically mentioned as participants. Lack of prior testing as well as "interesting" protocols were also cited as criteria used to help select the participants. The list of specific CROSS projects is not publicly available as both Codenomicon and the projects themselves are concerned that participants would suffer from increased 'black hat' scrutiny if they were identified.

Codenomicon's product line is a suite of network protocol testing tools called DEFENSICS that are an outgrowth of research done at the University of Oulu in the Secure Programming Group (OUSPG). The PROTOS project produced free software for protocol testing that is still available and is "widely used" according to Codenomicon CTO Ari Takanen. PROTOS is based around the idea of proactive protocol testing by injecting unexpected input into a protocol stream; in essence, fuzzing with some smarts behind the generated test data.

Codenomicon observed that free tools did not get the same attention from management that was given to relatively expensive commercial tools and DEFENSICS bridges that gap. In addition, the DEFENSICS suite builds upon the lessons learned with PROTOS, extending and enhancing the basic concept while making it faster. Because of their research background and some level of altruism, Codenomicon wants to give back to the open source community and CROSS is their means of doing that. Obviously they are hoping to gain some name recognition and good press, but they also seem to have a real interest in helping to secure the internet by finding flaws proactively.

Open source projects can generally use all the help they can get when it comes to finding security flaws. It is accepted as an article of faith that "many eyes make all bugs shallow", but that only works when those eyes actually focus on a particular project. Just opening the source does not magically attract the attention of security minded developers and that makes projects like CROSS very useful. The Codenomicon tools (and PROTOS before that) have been successful in finding flaws in the past and one can hope that this effort will similarly bear fruit. With luck we will see a number of security bug reports over the next few months that will credit CROSS. This effort is reminiscent of the Coverity's code analysis tools being used to assist open source projects and hopefully more companies decide to use our code as a testbed for their tools; it can only help both to get better.

Comments (none posted)

Security reports

Fortify Software documents Web 2.0 vulnerability

Fortify Software has announced the release of a new security advisory on JavaScript Hijacking. "Fortify Software, the leading provider of security products that help companies identify, manage and remediate software vulnerabilities, today announced that its Security Research Group has documented the first major vulnerability associated specifically with Web 2.0 and AJAX-style software. Termed JavaScript Hijacking, the vulnerability allows an attacker to steal critical data by emulating unsuspecting users. To combat this issue, Fortify has released an in-depth security advisory that details this vulnerability, how enterprises can determine if they are vulnerable and how they can fix the issue."

Comments (2 posted)

New vulnerabilities

Asterisk: two SIP denial of service vulnerabilities

Package(s):Asterisk CVE #(s):CVE-2007-1561 CVE-2007-1594
Created:April 3, 2007 Updated:August 27, 2007
Description: The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code.
Debian DSA-1358-1 asterisk 2007-08-26
SuSE SUSE-SA:2007:034 asterisk 2007-06-06
Gentoo 200704-01 Asterisk 2007-04-02

Comments (none posted)

ImageMagick: DCM and XWD buffer overflows

Package(s):imagemagick CVE #(s):CVE-2007-1719
Created:April 3, 2007 Updated:April 4, 2007
Description: iDefense Labs reports several buffer overflow vulnerabilities in ImageMagick version 6.3.x..
Foresight FLEA-2007-0006-2 ImageMagick 2007-04-03
Foresight FLEA-2007-0006-1 ImageMagick 2007-04-03

Comments (1 posted)

ImageMagick: integer overflows

Package(s):imagemagick CVE #(s):CVE-2007-1797
Created:April 4, 2007 Updated:August 11, 2009
Description: Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
Debian DSA-1858-1 imagemagick 2009-08-10
Red Hat RHSA-2008:0165-01 ImageMagick 2008-04-16
Red Hat RHSA-2008:0145-01 ImageMagick 2008-04-16
Fedora FEDORA-2007-1340 GraphicsMagick 2007-07-30
Mandriva MDKSA-2007:147 ImageMagick 2007-07-20
Ubuntu USN-481-1 imagemagick 2007-07-10
Gentoo 200705-13 imagemagick 2007-05-10
Fedora FEDORA-2007-414 ImageMagick 2007-04-17
Fedora FEDORA-2007-413 ImageMagick 2007-04-05
rPath rPSA-2007-0064-1 ImageMagick 2007-04-04

Comments (none posted)

kdelibs: bug in FTP protocol

Package(s):kdelibs CVE #(s):CVE-2007-1564
Created:March 30, 2007 Updated:April 4, 2007
Description: The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in a FTP PASV command.
Mandriva MDKSA-2007:072 kdelibs 2007-03-29

Comments (none posted)

krb5: multiple vulnerabilities

Package(s):krb5 CVE #(s):CVE-2007-0956 CVE-2007-0957 CVE-2007-1216
Created:April 3, 2007 Updated:March 24, 2008
Description: A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001

Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. MIT krb5 Security Advisory 2007-002

A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. MIT krb5 Security Advisory 2007-003

Mandriva MDKSA-2007:077-1 krb5 2007-04-10
Foresight FLEA-2007-0008-1 krb5 2007-04-05
SuSE SUSE-SA:2007:025 krb5 2007-04-05
Mandriva MDKSA-2007:077 krb5 2006-04-04
rPath rPSA-2007-0063-1 krb5 2007-04-04
Ubuntu USN-449-1 krb5 2007-04-04
Gentoo 200704-02 mit-krb5 2007-04-03
Fedora FEDORA-2007-409 krb5 2007-04-03
Fedora FEDORA-2007-408 krb5 2007-04-03
Debian DSA-1276-1 krb5 2007-04-03
Red Hat RHSA-2007:0095-01 krb5 2007-04-03

Comments (none posted)

OpenPBS: multiple vulnerabilities

Package(s):openpbs CVE #(s):CVE-2006-5616
Created:April 4, 2007 Updated:April 4, 2007
Description: SUSE reported vulnerabilities due to unspecified errors in OpenPBS. An attacker might be able execute arbitrary code with the privileges of the user running openpbs, which might be the root user.
Gentoo 200704-04 openpbs 2007-04-03

Comments (none posted)

qt: "/../" injection

Package(s):qt CVE #(s):CVE-2007-0242
Created:April 4, 2007 Updated:September 13, 2007
Description: Andreas Nolden discovered a bug in qt3, where the UTF8 decoder does not reject overlong sequences, which can cause "/../" injection or (in the case of konqueror) a "<script>" tag injection.
CentOS CESA-2011:1324 qt4 2011-09-22
Scientific Linux SL-qt4-20110921 qt4 2011-09-21
Red Hat RHSA-2011:1324-01 qt4 2011-09-21
Red Hat RHSA-2007:0883-01 qt 2007-09-13
Debian DSA-1292-1 qt4-x11 2007-05-15
SuSE SUSE-SR:2007:006 Qt, kdelibs3, mediawiki, freetype2, xmms, spamassassin 2007-04-13
Ubuntu USN-452-1 kdelibs, qt-x11-free 2007-04-11
Mandriva MDKSA-2007:075-1 qt4 2007-04-10
rPath rPSA-2007-0066-1 kdelibs 2007-04-04
Slackware SSA:2007-093-03 qt 2007-04-04
Mandriva MDKSA-2007:075 qt4 2007-04-03
Mandriva MDKSA-2007:076 kdelibs 2007-04-03
Mandriva MDKSA-2007:074 qt3 2007-04-03

Comments (2 posted)

XFree86 integer overflows

Package(s):xfree86 CVE #(s):CVE-2007-1003 CVE-2007-1667 CVE-2007-1351 CVE-2007-1352
Created:April 3, 2007 Updated:August 11, 2009
Description: iDefense reported an integer overflow flaw in the XFree86 XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-1003)

iDefense reported two integer overflows in the way handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the server. (CVE-2007-1351, CVE-2007-1352)

An integer overflow flaw was found in the XFree86 XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667)

Debian DSA-1858-1 imagemagick 2009-08-10
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04
Debian DSA-1454-1 freetype 2008-01-07
Debian DSA-1294-1 xfree86 2007-05-17
Gentoo 200705-10 libXfont 2007-05-08
Gentoo 200705-06 libX11 2007-05-05
Gentoo 200705-02 freetype 2007-05-01
Ubuntu USN-453-2 libx11 2007-04-26
SuSE SUSE-SA:2007:027 XFree86, Xorg 2007-04-20
Slackware SSA:2007-109-01 freetype 2007-04-20
Ubuntu USN-453-1 libx11 2007-04-18
Red Hat RHSA-2007:0157-01 xorg-x11-apps libX11 2007-04-16
Red Hat RHSA-2007:0150-01 freetype 2007-04-16
Mandriva MDKSA-2007:079-1 xorg-x11 2007-04-11
Mandriva MDKSA-2007:080-1 tightvnc 2007-04-10
Mandriva MDKSA-2007:081-1 freetype2 2007-04-10
Fedora FEDORA-2007-427 libX11 2007-04-10
Fedora FEDORA-2007-426 libX11 2007-04-10
Fedora FEDORA-2007-425 xorg-x11-server 2007-04-10
Fedora FEDORA-2007-424 xorg-x11-server 2007-04-10
Fedora FEDORA-2007-423 libXfont 2007-04-09
Fedora FEDORA-2007-422 libXfont 2007-04-09
Foresight FLEA-2007-0009-1 xorg-server, libX11, libXfont 2007-04-05
Mandriva MDKSA-2007:080 tightvnc 2007-04-04
Mandriva MDKSA-2007:081 freetype2 2007-04-04
Mandriva MDKSA-2007:079 xorg-x11 2007-04-04
rPath rPSA-2007-0065-1 freetype 2007-04-04
Ubuntu USN-448-1 freetype, libxfont, xorg, xorg-server 2007-04-03
Red Hat RHSA-2007:0132-01 libXfont 2007-04-03
Red Hat RHSA-2007:0127-01 xorg-x11-server 2007-04-03
Red Hat RHSA-2007:0126-01 2007-04-03
Red Hat RHSA-2007:0125-01 XFree86 2007-04-03

Comments (none posted)

zope: cross-site scripting

Package(s):zope CVE #(s):CVE-2007-0240
Created:April 3, 2007 Updated:April 5, 2007
Description: A cross-site scripting vulnerability in Zope, a web application server, could allow an attacker to inject arbitrary HTML and/or JavaScript into the victim's web browser by using unspecified vectors in a HTTP GET request. This code would run within the security context of the web browser, potentially allowing the attacker to access private data such as authentication cookies, or to affect the rendering or behavior of Zope web pages.
Debian DSA-1275-1 zope2.7 2007-04-02

Comments (1 posted)

zziplib: buffer overflow

Package(s):zziplib CVE #(s):CVE-2007-1614
Created:April 4, 2007 Updated:September 5, 2007
Description: dmcox discovered a boundary error in the zzip_open_shared_io() function from zzip/file.c . A remote attacker could entice a user to run a zziplib function with an overly long string as an argument which would trigger the buffer overflow and may lead to the execution of arbitrary code.
Debian-Testing DTSA-56-1 zziplib 2007-09-04
Mandriva MDKSA-2007:093 zziplib 2007-04-23
Gentoo 200704-05 zziplib 2007-04-03

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds