Security
The future of unencrypted web traffic
Hypertext transfer protocol (http) is the heart of the web, providing the means to retrieve content from remote servers. It is an unencrypted, text-based protocol which allows malicious intermediaries to snoop on and potentially modify the traffic. Unfortunately, internet service providers (ISPs) are getting increasingly bold in manipulating the traffic that they carry. This has lead some to call for the elimination of http, in favor of encrypted http (aka secure http or https).
An ISP is perfectly situated to gather an enormous amount of information about its users, their website preferences and habits (often called clickstream data). Some have reportedly been selling some of that data in a thinly-anonymized form to advertisers and others. As AOL's well-intentioned, but poorly implemented, release of search queries showed, it is rather easy to analyze this kind of data and pierce the anonymity, deriving the specific user.
Another recent ISP trick is to modify a retrieved web page to display other information – under the control of the ISP – which looks like it comes from the website itself. Canadian ISP Rogers Internet has been testing a system to add content to the Google homepage for their customers who are near their monthly bandwidth limits. There are also plans afoot for ISPs to use clickstream data to target advertising – though just where those ads would show up is far from clear.
This kind of manipulation is unlikely to be what internet users expect – to the extent they think about it all. The model folks tend to use is that of a phone company; we do not expect them to sell our call records to the highest bidder, nor do we give them license to modify our calls. Various telecommunications privacy laws protect that data, but those laws have not (yet) been applied to internet traffic. In addition, ISPs tend to have a monopoly or near-monopoly, which restricts alternative, less-intrusive ISPs from competing.
Fortunately, there are technical solutions possible in the internet realm that would be difficult or impossible to implement network-wide in the phone system. Encrypting website traffic will go a long way towards eliminating this kind of ISP abuse, though it is no panacea. As more of these kinds of privacy invasions occur, we should see more routine use of https by websites.
Currently, https is almost exclusively used for e-commerce transactions; typing in credit card numbers and the like. Authentication via username and password is another area that sees widespread encrypted pages. Sites may start to use https for their entire site to combat clickstream and page rewriting abuse – though there will still be some information leakage as the ISPs can still see what sites are being visited.
In order to make an https connection, the server must have a certificate with its public key. Typically those are signed by an authority recognized by browsers which allows the browser to authenticate that the certificate belongs to the host visited. Getting signed certificates is a bit cumbersome, costs some money, and they need to be renewed periodically – all of which adds up to a headache for a site, especially a small, non-commercial site, that wants to switch to using https. Self-signed certificates are an alternative, but because they are susceptible to man-in-the-middle attacks, browsers warn their users when they receive one.
Another problem with this approach is the extra processing required on the server to support encrypting each and every request. There is a non-trivial amount of extra work that must be done per request and cannot be cached. Sites that wish to avoid the problems that some ISPs are introducing will just have to bear that cost.
Pushing bits is not very glamorous, but that is really what one hires an ISP to do. Since they seem to be finding new and exciting ways to interfere with those bits – Comcast messing with BitTorrent traffic for example – internet users will have to find ways to thwart their schemes and encryption will be a big part of that effort. Using https site-wide is only one step, other services will also need to be protected from ISP abuse. What if an ISP started manipulating the results returned from DNS queries, perhaps routing some to a server they control?
LWN adds a Security index
LWN has added a new index to complement the existing Kernel index. The Security index covers security articles we have published since the start of 2007. Hopefully this will be a useful resource for our readers and, as always, we value your comments. Please send them to lwn-AT-lwn.net.
New vulnerabilities
autofs: privilege escalation
| Package(s): | autofs | CVE #(s): | CVE-2007-6285 | ||||||||||||||||||||||||
| Created: | December 21, 2007 | Updated: | January 14, 2008 | ||||||||||||||||||||||||
| Description: | The default configuration for autofs 5 (autofs5) on Red Hat Enterprise Linux (RHEL) 4 and 5 does not specify the nodev mount option for the -hosts map, which allows local users to access "important devices" by operating a remote NFS server and creating special device files on that server. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
bind: insecure permissions
| Package(s): | bind | CVE #(s): | CVE-2007-6283 | ||||||||||||||||||||
| Created: | December 21, 2007 | Updated: | July 10, 2008 | ||||||||||||||||||||
| Description: | Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file with world-readable permissions, which allows local users to perform unauthorized named commands, such as causing a denial of service by stopping named. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
clamav: mystery vulnerability
| Package(s): | clamav | CVE #(s): | CVE-2007-6337 | ||||||||||||||||||||
| Created: | December 31, 2007 | Updated: | January 22, 2008 | ||||||||||||||||||||
| Description: | Clamav contains "an unspecified vulnerability" associated with the bzip2 decompression code. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | ||||||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | ||||||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | ||||||||||||||
| Alerts: |
| ||||||||||||||
exiv2: integer overflow
| Package(s): | exiv2 | CVE #(s): | CVE-2007-6353 | ||||||||||||||||||||||||||||||||
| Created: | December 21, 2007 | Updated: | October 15, 2008 | ||||||||||||||||||||||||||||||||
| Description: | Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
gallery2: multiple vulnerabilities
| Package(s): | gallery2 | CVE #(s): | CVE-2007-6685 CVE-2007-6686 CVE-2007-6687 CVE-2007-6688 CVE-2007-6689 CVE-2007-6690 CVE-2007-6691 CVE-2007-6692 CVE-2007-6693 | ||||||||||||
| Created: | December 27, 2007 | Updated: | February 12, 2008 | ||||||||||||
| Description: | Versions of the Gallery photo management application before 2.2.4 have the following vulnerabilities: (1) an unauthorized album creation and file upload, (2) a local file inclusion vulnerability, (3) several cross site scripting vulnerabilities, (4) a web-accessibility protection problem, (5) problems with checks for disallowed file extensions with file uploads, (6) missing permissions checks on GR commands, (7) several information disclosures, (8) an arbitrary URL redirection problem and (9) a proxied request weakness. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Ganglia: cross-site scripting
| Package(s): | ganglia | CVE #(s): | |||||||||
| Created: | December 21, 2007 | Updated: | January 2, 2008 | ||||||||
| Description: | Ganglia is a scalable, real-time monitoring and execution environment with all execution requests and statistics expressed in an open well-defined XML format. The Ganglia web frontend is vulnerable to cross-site scripting. | ||||||||||
| Alerts: |
| ||||||||||
imlib: denial of service
| Package(s): | imlib | CVE #(s): | CVE-2007-3568 | ||||||||
| Created: | December 28, 2007 | Updated: | January 2, 2008 | ||||||||
| Description: | The _LoadBMP function in imlib 1.9.15 and earlier allows context-dependent attackers to cause a denial of service (infinite loop) via a BMP image with a Bits Per Page (BPP) value of 0. | ||||||||||
| Alerts: |
| ||||||||||
kernel: information leak, denial of service
| Package(s): | linux-2.6 | CVE #(s): | CVE-2007-6206 CVE-2007-6417 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 21, 2007 | Updated: | September 1, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. (CVE-2007-6206)
Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page maybe improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). (CVE-2007-6417) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mt-daapd: multiple vulnerabilities
| Package(s): | mt-daapd | CVE #(s): | CVE-2007-5825 CVE-2007-5824 | ||||||||||||
| Created: | December 31, 2007 | Updated: | September 1, 2008 | ||||||||||||
| Description: | From the Gentoo advisory: nnp discovered multiple vulnerabilities in the XML-RPC handler in the file webserver.c. The ws_addarg() function contains a format string vulnerability, as it does not properly sanitize username and password data from the "Authorization: Basic" HTTP header line (CVE-2007-5825). The ws_decodepassword() and ws_getheaders() functions do not correctly handle empty Authorization header lines, or header lines without a ':' character, leading to NULL pointer dereferences (CVE-2007-5824). | ||||||||||||||
| Alerts: |
| ||||||||||||||
mysql: denial of service
| Package(s): | mysql-dfsg-5.0 | CVE #(s): | CVE-2007-6304 | ||||||||||||||||||||||||
| Created: | December 21, 2007 | Updated: | April 7, 2008 | ||||||||||||||||||||||||
| Description: | Philip Stoev discovered that the the federated engine of MySQL did not properly handle responses with a small number of columns. An authenticated user could use a crafted response to a SHOW TABLE STATUS query and cause a denial of service. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
peercast: buffer overflow
| Package(s): | peercast | CVE #(s): | CVE-2007-6454 | ||||||||||||
| Created: | December 28, 2007 | Updated: | May 21, 2008 | ||||||||||||
| Description: | A heap-based buffer overflow in the handshakeHTTP function in servhs.cpp in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request. | ||||||||||||||
| Alerts: |
| ||||||||||||||
syslog-ng: denial of service
| Package(s): | syslog-ng | CVE #(s): | CVE-2007-6437 | ||||||||||||||||
| Created: | December 31, 2007 | Updated: | January 21, 2008 | ||||||||||||||||
| Description: | The syslog-ng daemon does not properly handle messages containing an unterminated time stamp, resulting in the dereferencing of a NULL pointer and subsequent crash. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
typo3-src: SQL injection
| Package(s): | typo3-src | CVE #(s): | CVE-2007-6381 | ||||
| Created: | December 28, 2007 | Updated: | January 2, 2008 | ||||
| Description: | SQL injection vulnerability in the indexed_search system extension in TYPO3 3.x, 4.0 through 4.0.7, and 4.1 through 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | ||||||
| Alerts: |
| ||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2007-6111 CVE-2007-6112 CVE-2007-6113 CVE-2007-6115 CVE-2007-6116 CVE-2007-6119 | ||||||||
| Created: | December 21, 2007 | Updated: | January 2, 2008 | ||||||||
| Description: | Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow
remote attackers to cause a denial of service (crash) via (1) a crafted MP3
file or (2) unspecified vectors to the NCP dissector. (CVE-2007-6111)
Buffer overflow in the PPP dissector Wireshark 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. (CVE-2007-6112) Wireshark 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP packet. (CVE-2007-6113) Buffer overflow in the ANSI MAP dissector for Wireshark 0.99.5 to 0.99.6, when running on unspecified platforms, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors. (CVE-2007-6115) The Firebird/Interbase dissector in Wireshark 0.99.6 allows remote attackers to cause a denial of service (infinite loop or crash) via unknown vectors. (CVE-2007-6116) The DCP ETSI dissector in Wireshark 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. (CVE-2007-6119) | ||||||||||
| Alerts: |
| ||||||||||
wireshark: lots of dissector vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2007-6111 CVE-2007-6112 CVE-2007-6113 CVE-2007-6114 CVE-2007-6115 CVE-2007-6116 CVE-2007-6117 CVE-2007-6118 CVE-2007-6119 CVE-2007-6120 CVE-2007-6121 CVE-2007-6438 CVE-2007-6439 CVE-2007-6441 CVE-2007-6450 CVE-2007-6451 | ||||||||||||||||||||||||||||||||
| Created: | December 31, 2007 | Updated: | February 22, 2008 | ||||||||||||||||||||||||||||||||
| Description: | Wireshark has disclosed another long list of dissector vulnerabilities; see this advisory for details. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>