User: Password:
|
|
Subscribe / Log in / New account

Security

Bandit: multi-protocol identity management

By Jake Edge
September 26, 2007

The Novell-sponsored Bandit project is a relatively new entry into the somewhat crowded digital identity space. Bandit is trying to unify the disparate protocols and mechanisms for authentication into a consistent view for users and applications. This would allow a user to be independent of the underlying authentication method used, while allowing them full control over what information is released to a site requesting personal information.

One of the more annoying "features" of the web is the necessity of signing up with various sites, often using the same information (name, email address, mailing address, etc.). Once that is done, users need to remember their password at each site, which often means taking a very insecure shortcut by using the same one everywhere. Even a quick correction or pointer added into a comment thread will often require creating an account and logging in, definitely a barrier to quick and easy internet discourse. LWN is as "guilty" as most other sites, as there is no other simple solution to reducing comment spam.

The idea behind Bandit, and the other identity management systems, is to provide a means for users to manage this information, present it to sites they wish to use, without retyping their full name and contact information all over the place. It can also store more sensitive information, credit card numbers and the like. Unlike other, centralized schemes, the user information can be stored locally, with external servers used to validate a connection between an identity and the credentials presented.

Where Bandit is different is that it intends to try and encompass various other free authentication mechanisms and interoperate with them. In some ways it is like a web browser, in that it incorporates multiple different protocols (http, ftp, local file access, etc.) into a single view for the user. Bandit extends the browser by providing a plug-in for Firefox that communicates with their DigitalMe identity manager.

DigitalMe will do the heavy lifting of keeping track of the identities, where and how they are stored, as well as how to communicate that to the requesting site (aka relying party). The Firefox plug-in will present the stored identities to the user allowing them to choose one. It will also display the information requested by the relying party and allow the user to select which they will allow to be sent, keeping the user firmly in control.

An auditing framework is also part of Bandit, to allow companies to ensure that the identities are used in compliance with regulations or company standards. One of the use cases described for Bandit is for a company with identity cards that their employees use to log in to their systems. All of the identity information for those users would be stored by the company, rather than the employee, which would allow the company to recover them when an employee leaves. The identities would correspond to various company-run services as well as vendor or customer systems that are used by the employee.

Because it incorporates so many different standards and protocols, Bandit is even more of an alphabet soup than other identity systems. It is difficult to see, yet, whether it lives up to its grand vision. The project has released some code, but DigitalMe is currently only packaged for SuSE Linux distributions. But it is all free software, mostly licensed under the LGPL and certainly has some interesting ideas.

Windows has its own idea of identity management, CardSpace, that Bandit can also interoperate with in some fashion. Novell is demonstrating the technology and its interoperability with CardSpace at the Digital ID World conference this week. In conjunction with the conference, Novell is also promoting a "Control Your Identity" campaign that is encouraging users to get Bandit cards.

Like much of the work in this area, Bandit shows a lot of promise, but in order for it, or any other identity management framework, to succeed, there must be user interest. Plenty of complaints are heard about identity handling and the need to sign on seemingly everywhere on the web, but so far, no solution has really made a lot of headway. Because it intends to incorporate most of the solutions out there, Bandit may have a better chance than most.

Comments (4 posted)

New vulnerabilities

bugzilla: unauthorized account creation

Package(s):bugzilla CVE #(s):CVE-2007-5038
Created:September 25, 2007 Updated:September 26, 2007
Description: The offer_account_by_email function in User.pm in the WebService for Bugzilla before 3.0.2, and 3.1.x before 3.1.2, does not check the value of the createemailregexp parameter, which allows remote attackers to bypass intended restrictions on account creation.
Alerts:
Fedora FEDORA-2007-2299 bugzilla 2007-09-25

Comments (1 posted)

elinks: remote data sniffing

Package(s):elinks CVE #(s):CVE-2007-5034
Created:September 25, 2007 Updated:October 9, 2007
Description: ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.
Alerts:
Fedora FEDORA-2007-710 elinks 2007-10-08
rPath rPSA-2007-0209-1 elinks 2007-10-05
Red Hat RHSA-2007:0933-01 ELinks 2007-10-03
Debian DSA-1380-1 elinks 2007-10-02
Ubuntu USN-519-1 elinks 2007-09-25
Fedora FEDORA-2007-2224 elinks 2007-09-24

Comments (none posted)

fuse: incorrect file access permissions

Package(s):fuse CVE #(s):
Created:September 26, 2007 Updated:September 26, 2007
Description: It was discovered that members of the group fuse can get access to devices which they normally should not have access to. For ntfs-3g mounts, this was because /sbin/mount.ntfs-3g was setuid root. This update fixes /sbin/mount.ntfs-3g so that it is no longer has the setuid bit enabled. The fuse package is also being updated to correct an error in the previous testing package which incorrectly changed the permissions on /dev/fuse.
Alerts:
Fedora FEDORA-2007-2295 fuse 2007-09-25

Comments (none posted)

httpd: denial of service, cross-site scripting

Package(s):apache httpd CVE #(s):CVE-2007-3847 CVE-2007-4465
Created:September 25, 2007 Updated:February 15, 2008
Description: A flaw was found in the mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465)

Alerts:
Slackware SSA:2008-045-02 apache 2008-02-15
Ubuntu USN-575-1 apache2 2008-02-04
Red Hat RHSA-2008:0008-01 httpd 2008-01-15
Red Hat RHSA-2008:0006-01 httpd 2008-01-15
Red Hat RHSA-2008:0005-01 httpd 2008-01-15
Red Hat RHSA-2008:0004-01 apache 2008-01-15
Mandriva MDKSA-2007:235 apache 2007-12-03
SuSE SUSE-SA:2007:061 apache2 2007-11-19
Red Hat RHSA-2007:0747-02 httpd 2007-11-15
Gentoo 200711-06 apache 2007-11-07
Red Hat RHSA-2007:0746-04 httpd 2007-11-07
Red Hat RHSA-2007:0911-01 httpd 2007-10-25
Fedora FEDORA-2007-707 httpd 2007-09-24

Comments (none posted)

JRockit: multiple vulnerabilities

Package(s):jrockit-jdk-bin CVE #(s):CVE-2007-2788 CVE-2007-4381 CVE-2007-3716 CVE-2007-2789 CVE-2007-3004 CVE-2007-3005 CVE-2007-3503 CVE-2007-3698 CVE-2007-3922
Created:September 24, 2007 Updated:June 24, 2008
Description: An integer overflow vulnerability exists in the embedded ICC profile image parser (CVE-2007-2788), an unspecified vulnerability exists in the font parsing implementation (CVE-2007-4381), and an error exists when processing XSLT stylesheets contained in XSLT Transforms in XML signatures (CVE-2007-3716), among other vulnerabilities.
Alerts:
Red Hat RHSA-2008:0133-01 IBM Java 2008-06-24
SuSE SUSE-SA:2008:025 IBMJava2,IBMJava5,java-1_4_2-ibm,java-1_5_0-ibm 2008-04-25
Gentoo 200804-20 sun-jre, sun-jdk 2008-04-17
Red Hat RHSA-2008:0100-01 java-1.4.2-bea 2008-03-11
Red Hat RHSA-2008:0132-01 java-1.4.2-ibm 2008-02-14
Red Hat RHSA-2007:1086-01 java-1.4.2-bea 2007-12-12
Gentoo 200709-15 jrockit-jdk-bin 2007-09-23

Comments (none posted)

kdebase: kdm passwordless login vulnerability

Package(s):kdebase kdm CVE #(s):CVE-2007-4569
Created:September 21, 2007 Updated:November 13, 2007
Description: According to this KDE advisory KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances, namely autologin to be configured and "shutdown with password" enabled. KDE versions 3.3.0 up to including 3.5.7 are vulnerable.
Alerts:
Gentoo 200710-15 kdm 2007-10-14
Fedora FEDORA-2007-716 kdebase 2007-10-08
Fedora FEDORA-2007-2361 kdebase 2007-10-03
Mandriva MDKSA-2007:190 kdebase 2007-09-27
Ubuntu USN-517-1 kdebase 2007-09-24
Slackware SSA:2007-264-01 kdebase 2007-09-24
rPath rPSA-2007-0194-1 kdebase 2007-09-20
Debian DSA-1376 kdebase 2007-09-21

Comments (none posted)

kernel: out-of-bounds access

Package(s):kernel CVE #(s):CVE-2007-4573
Created:September 25, 2007 Updated:December 6, 2010
Description: The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
Alerts:
Mandriva MDVSA-2010:247 kernel 2010-12-03
Mandriva MDVSA-2010:188 kernel 2010-09-23
Mandriva MDVSA-2010:198 kernel 2010-10-07
Mandriva MDVSA-2008:105 kernel 2007-05-21
Debian DSA-1504 kernel-source-2.6.8 2008-02-22
Mandriva MDVSA-2008:008 kernel 2008-01-11
SuSE SUSE-SA:2007:064 kernel 2007-12-04
SuSE SUSE-SA:2007:053 kernel 2007-10-12
Mandriva MDKSA-2007:195 kernel 2007-10-15
Mandriva MDKSA-2007:196 kernel 2007-10-15
Debian DSA-1381-2 linux-2.6 2007-10-12
Debian DSA-1381-1 kernel 2007-10-02
Debian DSA-1378-2 linux-2.6 2007-09-28
Debian DSA-1378-1 linux-2.6 2007-09-27
Red Hat RHSA-2007:0938-01 kernel 2007-09-27
Red Hat RHSA-2007:0937-01 kernel 2007-09-27
Red Hat RHSA-2007:0936-01 kernel 2007-09-27
Ubuntu USN-518-1 linux-source-2.6.15/17/20 2007-09-25
rPath rPSA-2007-0198-1 kernel 2007-09-24
Fedora FEDORA-2007-712 kernel 2007-09-24
Fedora FEDORA-2007-2298 kernel 2007-09-25

Comments (none posted)

libsndfile: heap-based buffer overflow

Package(s):libsndfile CVE #(s):CVE-2007-4974
Created:September 25, 2007 Updated:January 9, 2008
Description: Heap-based buffer overflow in libsndfile 1.0.17 and earlier might allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data containing a block with a size that exceeds the previous block size.
Alerts:
SuSE SUSE-SR:2008:001 libexiv2 dvips libsndfile squid rsync clamav xen 2008-01-09
Debian DSA-1442-1 libsndfile 2007-12-29
Gentoo 200710-04 libsndfile 2007-10-07
Ubuntu USN-525-1 libsndfile 2007-10-04
Mandriva MDKSA-2007:191 libsndfile 2007-10-01
Fedora FEDORA-2007-2236 libsndfile 2007-09-24

Comments (none posted)

postgresql: several vulnerabilities

Package(s):postgresql CVE #(s):CVE-2007-3278 CVE-2007-3279 CVE-2007-3280
Created:September 25, 2007 Updated:February 1, 2008
Description: PostgreSQL 8.1 and probably later and earlier versions, when local trust authentication is enabled and the Database Link library (dblink) is installed, allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries via a dblink host parameter that proxies the connection from 127.0.0.1. (CVE-2007-3278)

PostgreSQL 8.1 and probably later and earlier versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileges to the PUBLIC domain, which allows remote attackers to create and execute functions, as demonstrated by functions that perform local brute-force password guessing attacks, which may evade intrusion detection. (CVE-2007-3279)

The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access. (CVE-2007-3280)

Alerts:
Red Hat RHSA-2008:0040-01 postgresql 2008-02-01
Gentoo 200801-15 postgresql 2008-01-29
Ubuntu USN-568-1 postgresql 2008-01-14
Debian DSA-1463-1 postgresql-7.4 2008-01-14
Debian DSA-1460-1 postgresql-8.1 2008-01-13
Red Hat RHSA-2008:0039-01 postgresql 2008-01-11
Red Hat RHSA-2008:0038-01 postgresql 2008-01-11
Mandriva MDKSA-2007:188 postgresql 2007-09-25

Comments (1 posted)

t1lib: buffer overflow

Package(s):t1lib CVE #(s):CVE-2007-4033
Created:September 20, 2007 Updated:February 12, 2008
Description: T1lib, an enhanced rasterizer for X11 Type 1 fonts, does not properly perform bounds checking. An attacker can send specially crafted input to applications linked against the library in order to create a buffer overflow, resulting in a denial of service or the execution of arbitrary code.
Alerts:
Foresight FLEA-2008-0006-1 tetex 2008-02-11
rPath rPSA-2008-0007-1 tetex 2008-01-04
Mandriva MDKSA-2007:230 tetex 2007-11-20
Fedora FEDORA-2007-3308 tetex 2007-11-20
Fedora FEDORA-2007-750 tetex 2007-11-21
Fedora FEDORA-2007-3390 tetex 2007-11-20
Red Hat RHSA-2007:1027-02 tetex 2007-11-08
Debian DSA-1390-1 t1lib 2007-10-18
Gentoo 200710-12 t1lib 2007-10-12
Fedora FEDORA-2007-2343 t1lib 2007-09-28
Mandriva MDKSA-2007:189 t1lib 2007-09-27
Ubuntu USN-515-1 t1lib 2007-09-19

Comments (none posted)

tomcat: multiple vulnerabilities

Package(s):tomcat CVE #(s):CVE-2007-3382 CVE-2007-3385 CVE-2007-3386
Created:September 26, 2007 Updated:September 13, 2010
Description: Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382).

It was reported Tomcat did not properly handle the following character sequence in a cookie: \" (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385).

A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386).

Alerts:
Mandriva MDVSA-2010:176 tomcat5 2010-09-12
SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
Fedora FEDORA-2008-8130 tomcat5 2008-09-16
Red Hat RHSA-2008:0195-01 tomcat 2008-04-28
SuSE SUSE-SR:2008:005 acroread, asterisk, cacti, compat-openssl097g, icu, libcdio, wireshark/ethereal, Jakarta, perl-tk 2008-03-06
Fedora FEDORA-2008-1603 tomcat5 2008-02-13
Fedora FEDORA-2008-1467 tomcat5 2008-02-13
Debian DSA-1447-1 tomcat5.5 2008-01-03
Mandriva MDKSA-2007:241 tomcat5 2007-12-10
Fedora FEDORA-2007-3456 tomcat5 2007-11-17
Fedora FEDORA-2007-3474 tomcat5 2007-11-17
Red Hat RHSA-2007:0950-01 jboss 2007-11-05
Red Hat RHSA-2007:0876-01 tomcat 2007-10-11
Red Hat RHSA-2007:0871-01 tomcat 2007-09-26

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds