Security
ITU getting serious about botnets
Botnets are an increasing problem in today's internet. They can do much harm in the way of spam propagation and distributed denial of service attacks, but they also tend to evolve much more quickly than preventative measures. The International Telecommunication Union, an organization that predates the internet by more than 100 years, wants to do something about that. To that end, they are creating a Botnet Mitigation Toolkit.
The ITU is now an agency of the United Nations, which puts it in the right place to assist with botnet mitigation. Much like the internet, botnets do not respect political boundaries; it is often the case that a botnet is attacking a target in one country, from hosts in multiple countries, using a command and control (C&C) infrastructure in yet another country. It will take an international response to thwart an attack of that sort.
The toolkit is primarily focused at developing countries; it is meant to provide guidelines and best practice information to entities that need it. There are three types of information in the toolkit: legal, technical, and social. Each has a role to play in successfully handling botnets and their effects.
From a legal standpoint, many developing countries do not have laws governing "cybercrime" that could be used to shut down or redirect botnet traffic. The toolkit will contain recommendations for how such legislation might be structured, what kind of jurisdiction requirements make sense, as well as the kinds of evidence that are likely to be available. One of the more serious difficulties is rectifying the needs of botnet fighters with the privacy of internet users. A country's privacy laws may cover what information can be gathered. A paper describing the toolkit (PDF), which is still in draft form, has some information about the intersection of privacy rights and internet security, but this is clearly an area that will need to be handled carefully.
Another policy area that will be covered by the toolkit is in establishing a framework for handling incidents that occur. How to establish monitoring, putting together a collaboration between the government and internet service providers, along with deterring internet criminals from setting up shop in the country are all facets of a national "cybersecurity" policy. If a country is starting from a point where none of this kind of organization exists, which is true for much of the developing world, the toolkit will provide the government with the right questions to ask and areas that need a decision. At a minimum, it will also make recommendations that may be followed or ignored.
From a technical standpoint, internet service providers may need information on best practices for securing their networks from external threats. They also may need information on handling malicious traffic originating in their networks. The toolkit intends to provide information on both. The contents of the paper contain a great deal of good information for those that are interested. Even for ISPs in developed countries, there is much that could be learned.
The social aspect of dealing with botnets is perhaps the most difficult part, but, if successful, may provide the best defense. Like the technical measures, this is by no means a problem only in developing countries. Users everywhere need to learn good habits when using the internet. Free software is specifically called out as part of the solution in the social section of the paper, not because it is more resistant to malware (which is unclear), but because it can always be upgraded to fix security flaws. Many users in developing countries use unlicensed software from proprietary vendors that is difficult or impossible to upgrade.
The ITU toolkit is a worthy project, which will hopefully be well received by countries around the world. Due care needs to be taken so that it is not seen as something being imposed by the developed world. Even if botnets are not currently causing any major pain for a country, they certainly will some day. Getting out ahead of that curve would be of great benefit, hopefully most countries will see it that way.
A pilot project is planned for Malaysia, in cooperation with the government there, in 2008 that will allow the ITU to fine tune its message and the toolkit. After that, it can start rolling it out in other interested countries. It may be a few years off, but bot herders may start feeling the heat.
Brief items
Insecurity Blues: Jeremy Allison reflects on Samba security flaws
Jeremy Allison, of the Samba project, reflects on the recent security flaws in Samba, how responses (and response times) have changed over time, and how they try to avoid new security problems. "What we do now on seeing a security bug is immediately audit the entire code-base to discover if there are any similar problems, or even similar coding practices that might cause future problems, and re-write or remove all such code. It takes longer, but is much safer in the long run. If you examine parts of the Samba code you'll find common functions that are known to be insecure simply won't compile if added to our code. A set of automated macros warns of any use of known bad functions." (thanks to Richard Hillesley)
EFF's IP interference detection toolkit
The Electronic Frontier Foundation has announced the release of a set of reports on ISP manipulation of IP traffic and some comprehensive documentation on how to detect that manipulation for yourself. The document on detecting packet injection appears to mostly be a set of detailed instructions on using Wireshark to compare TCP streams at both ends.
New vulnerabilities
cacti: SQL injection vulnerability
| Package(s): | cacti | CVE #(s): | CVE-2007-6035 | ||||||||||||||||||||||||||||||||
| Created: | November 22, 2007 | Updated: | February 18, 2008 | ||||||||||||||||||||||||||||||||
| Description: | Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
CSTeX: multiple vulnerabilities
| Package(s): | CSTeX | CVE #(s): | |||||
| Created: | November 26, 2007 | Updated: | November 28, 2007 | ||||
| Description: | From the Gentoo advisory: Remote attackers could possibly execute arbitrary code and local attackers could possibly overwrite arbitrary files with the privileges of the user running CSTeX via multiple vectors. | ||||||
| Alerts: |
| ||||||
feynmf: symlink vulnerability
| Package(s): | feynmf | CVE #(s): | CVE-2007-5940 | ||||
| Created: | November 28, 2007 | Updated: | November 28, 2007 | ||||
| Description: | The feynmf drawing package suffers from a symbolic link vulnerability. | ||||||
| Alerts: |
| ||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey | CVE #(s): | CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 27, 2007 | Updated: | March 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959) A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-5500 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 28, 2007 | Updated: | July 8, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-5501 | ||||||||||||||||||||||||||||||||||||||||
| Created: | November 28, 2007 | Updated: | March 7, 2008 | ||||||||||||||||||||||||||||||||||||||||
| Description: | The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
lcms: stack-based buffer overflow
| Package(s): | lcms | CVE #(s): | CVE-2007-2741 | ||||||||||||||||||||
| Created: | November 23, 2007 | Updated: | October 14, 2008 | ||||||||||||||||||||
| Description: | Stack-based buffer overflow in Little CMS (lmcs) before 1.15 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ICC profile in a JPG file. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
mysql-dfsg: multiple vulnerabilities
| Package(s): | mysql-dfsg | CVE #(s): | CVE-2007-2583 CVE-2007-2691 CVE-2007-2692 CVE-2007-3782 | ||||||||||||||||||||||||||||
| Created: | November 27, 2007 | Updated: | July 30, 2008 | ||||||||||||||||||||||||||||
| Description: | The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and
5.1 before 5.1.18-beta, allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results in a
divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables. (CVE-2007-2691) The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before 5.1.18 does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges. (CVE-2007-2692) MySQL Community Server before 5.0.45 allows remote authenticated users to gain update privileges for a table in another database via a view that refers to this external table. (CVE-2007-3782) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
nss_ldap: credential or other information disclosure
| Package(s): | nss_ldap | CVE #(s): | CVE-2007-5794 | ||||||||||||||||||||||||||||||||
| Created: | November 26, 2007 | Updated: | July 30, 2008 | ||||||||||||||||||||||||||||||||
| Description: | From the Gentoo advisory: Josh Burley reported that nss_ldap does not properly handle the LDAP connections due to a race condition that can be triggered by multi-threaded applications using nss_ldap, which might lead to requested data being returned to a wrong process. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
openldap: denial of service
| Package(s): | openldap | CVE #(s): | CVE-2007-5708 | ||||||||||||||||||||||||
| Created: | November 23, 2007 | Updated: | April 9, 2008 | ||||||||||||||||||||||||
| Description: | slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when running as a proxy-caching server, allocates memory using a malloc variant instead of calloc, which prevents an array from being initialized properly and might allow attackers to cause a denial of service (segmentation fault) via unknown vectors that prevent the array from being null terminated. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
pcre: buffer overflows in library
| Package(s): | pcre | CVE #(s): | CVE-2006-7228 CVE-2006-7230 CVE-2007-1661 CVE-2007-4766 CVE-2007-4767 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 23, 2007 | Updated: | July 16, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Specially crafted regular expressions could lead to buffer overflows in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code as the user running the application. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pcre: buffer overflows
| Package(s): | pcre3 | CVE #(s): | CVE-2007-1662 CVE-2007-4768 | ||||||||||||||||||||
| Created: | November 27, 2007 | Updated: | May 7, 2008 | ||||||||||||||||||||
| Description: | Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the
end of the string when searching for unmatched brackets and parentheses,
which allows context-dependent attackers to cause a denial of service
(crash), possibly involving forward references. (CVE-2007-1662)
Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized. (CVE-2007-4768) | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
phpMyAdmin: SQL injection
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2007-5976 CVE-2007-5977 | ||||||||||||||||||||||||
| Created: | November 22, 2007 | Updated: | March 19, 2009 | ||||||||||||||||||||||||
| Description: | phpMyAdmin prior to version 2.11.2.1 has an SQL injection vulnerability
in db_create.php. Remote authenticated users with CREATE DATABASE privileges can use this to execute arbitrary SQL commands via the db parameter.
db_create.php also has a related cross-site scripting vulnerability. Remote authenticated users can inject arbitrary web scripts or HTML using a hex-encoded IMG element in the db parameter in a POST request. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Tk: buffer overflow
| Package(s): | tk8.3 | CVE #(s): | CVE-2007-5378 | ||||||||||||||||||||||||
| Created: | November 28, 2007 | Updated: | March 17, 2009 | ||||||||||||||||||||||||
| Description: | The Tk toolkit's GIF-reading code contains a buffer overflow which could be exploited via a malicious image file. Fixes may be found in versions 8.4.12 and 8.3.5. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2007-6114 CVE-2007-6117 CVE-2007-6118 CVE-2007-6120 CVE-2007-6121 | ||||||||||||
| Created: | November 27, 2007 | Updated: | December 24, 2007 | ||||||||||||
| Description: | Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service or the execution of arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
zaptel: possible privilege escalation
| Package(s): | zaptel | CVE #(s): | CVE-2007-5690 | ||||||||
| Created: | November 28, 2007 | Updated: | November 28, 2007 | ||||||||
| Description: | Asterisk Zaptel 1.4.5.1 contains a buffer overflow which might be exploitable by local users - though the actual exploitability of this problem is disputed. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>