Security
Hiding open ports with shimmer
Open TCP or UDP ports on an internet-facing host can be worrisome to an administrator, they almost feel like an invitation to an attacker. If an unknown or unpatched vulnerability is running behind the port, the host could be compromised. Admins have come up with some reasonable ways to deflect the simplest of these attacks: changing the well-known port or port knocking. The new shimmer project provides a twist, by using cryptographic techniques to choose the port to open.
The basic idea is that one port (within a chosen range) will be open to real traffic of the service that the admin wants to hide – ssh or a private web server for example. The number of that port will be able to be calculated by both client and server using a secret that they share. A client that connects to the proper port gets forwarded to the real service. In addition to the proper port, 15 other ports are opened and connected to a blacklist service. Any connection made to those ports will result in the source IP address being banned for 15 minutes. The server redoes the calculation each minute, coming up with a new set of 16 ports – one good and 15 bad.
In order to calculate the port number, the shared secret (key) is combined with the time (to the nearest minute), and the name of the service, then hashed using SHA-256. The hash is used as an AES key to encrypt the numbers 0 through 15. Those values are mapped into the port range and serve as the 16 port numbers for that minute. In order to handle small clock variations between client and server, the server actually keeps each set of 16 open for three minutes – adding the set for the minutes before and after the current one.
While this seems like it provides a great deal of security to hide an open port behind, in reality it is more showy than useful. As with simple port knocking, or changing the well-known port number, it is vulnerable to an attacker that can monitor traffic to the server and observe successful connections. Shimmer leaves three ports wide open at any given time with 45 ports that will cause an IP to get blacklisted. Depending on the size of the port range chosen, the odds aren't that bad of randomly guessing the right port. Someone with few thousand IP addresses to use probably won't have any difficulty.
Much like the other techniques, shimmer will likely deflect all but the most determined of attackers, but is unlikely to provide much in the way of a barrier against those. It sounds attractive and uses cryptographic terms and techniques which may make it seem more secure than it really is. Using it without understanding this could lead to a false sense of security.
Brief items
PostgreSQL releases critical security patches
The PostgreSQL team has released a set of patches for five critical security vulnerabilities. Two privilege escalation flaws and three denial of service vulnerabilities were fixed. "Today the PostgreSQL Global Development Group is releasing updated versions which patch five security vulnerabilities. These releases update all current PostgreSQL versions, including 8.2, 8.1, 8.0, 7.4 and 7.3. They are considered CRITICAL and PostgreSQL DBAs and sysadmins should install the update as soon as they reasonably can." Click below for more details.
New vulnerabilities
Asterisk: denial of service
| Package(s): | asterisk | CVE #(s): | |||||||||
| Created: | January 4, 2008 | Updated: | January 9, 2008 | ||||||||
| Description: | Asterisk has issued a security advisory on a remote crash vulnerability in the SIP channel driver. | ||||||||||
| Alerts: |
| ||||||||||
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2007-5848 | ||||||||||||||||
| Created: | January 7, 2008 | Updated: | February 27, 2008 | ||||||||||||||||
| Description: | From the CVE entry: Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service. From the rPath advisory: Previous versions of the cups package contain a buffer-overflow weakness. It is not believed that this weakness can be exploited to execute malicious code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
dovecot: multiple vulnerabilities
| Package(s): | dovecot | CVE #(s): | CVE-2007-6598 | ||||||||||||||||||||
| Created: | January 3, 2008 | Updated: | October 7, 2008 | ||||||||||||||||||||
| Description: | Dovecot has multiple vulnerabilities including an issue involving the confusion between LDAP-authenticated logins across users with the same password and a denial of service involving a connecting user. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
libcdio: buffer overflows
| Package(s): | libcdio | CVE #(s): | |||||||||
| Created: | January 3, 2008 | Updated: | January 9, 2008 | ||||||||
| Description: | The libcdio CD-ROM access library has two buffer overflow vulnerabilities involving long Joliet file names and the cdio buffer. | ||||||||||
| Alerts: |
| ||||||||||
mantis: cross-site scripting
| Package(s): | mantis | CVE #(s): | CVE-2007-6611 | ||||||||||||||||
| Created: | January 7, 2008 | Updated: | March 4, 2008 | ||||||||||||||||
| Description: | From the CVE entry: Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
maradns: denial of service
| Package(s): | maradns | CVE #(s): | CVE-2008-0061 | ||||||||
| Created: | January 4, 2008 | Updated: | January 30, 2008 | ||||||||
| Description: | MaraDNS 1.0 before 1.0.41, 1.2 before 1.2.12.08, and 1.3 before 1.3.07.04 allows remote attackers to cause a denial of service via a crafted DNS packet that prevents an authoritative name (CNAME) record from resolving, aka "improper rotation of resource records." | ||||||||||
| Alerts: |
| ||||||||||
opera: multiple vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2007-6520 CVE-2007-6521 CVE-2007-6522 CVE-2007-6523 CVE-2007-6524 | ||||
| Created: | January 7, 2008 | Updated: | January 9, 2008 | ||||
| Description: | From the SUSE advisory: CVE-2007-6520: Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by David Bloom. Details will be disclosed at a later date. CVE-2007-6521: Fixed an issue with TLS certificates that could be used to execute arbitrary code, as reported by Alexander Klink (Cynops GmbH). Details will be disclosed at a later date. CVE-2007-6522: Rich text editing can no longer be used to allow cross domain scripting, as reported by David Bloom. See our advisory. CVE-2007-6523: Fixed a problem where malformed BMP files could cause Opera to temporarily freeze. CVE-2007-6524: Prevented bitmaps from revealing random data from memory, as reported by Gynvael Coldwind. Details will be disclosed at a later date. | ||||||
| Alerts: |
| ||||||
PostgreSQL: multiple vulnerabilities
| Package(s): | postgresql | CVE #(s): | CVE-2007-6600 CVE-2007-4772 CVE-2007-6067 CVE-2007-4769 CVE-2007-6601 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 9, 2008 | Updated: | January 17, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several vulnerabilities have been found in the PostgreSQL database manager. The developers call the fixes "critical," but also note that, as of the time of the update, none of them were known to be exploited; see this advisory for more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
python-cherrypy: unauthorized file access via malicious cookie
| Package(s): | python-cherrypy | CVE #(s): | CVE-2008-0252 | ||||||||||||||||||||
| Created: | January 9, 2008 | Updated: | February 6, 2008 | ||||||||||||||||||||
| Description: | From the Fedora advisory: Malicious cookies may allow access to files outside the session directory. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
qt4: security restriction bypass
| Package(s): | qt4 | CVE #(s): | CVE-2007-5965 | ||||||||||||||||||||
| Created: | January 3, 2008 | Updated: | February 21, 2008 | ||||||||||||||||||||
| Description: | Trolltech Qt has a privilege escalation vulnerability. An error can be triggered in QSslSocket when verifying SSL certificates, attackers can use this to bypass the SSL certificate verification and acquire unauthorized access to a vulnerable application. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
tcpreen: denial of service
| Package(s): | tcpreen | CVE #(s): | CVE-2007-6562 | ||||
| Created: | January 3, 2008 | Updated: | January 9, 2008 | ||||
| Description: | The tcpreen TCP connection monitoring tool has multiple buffer overflow vulnerabilities, these may be used to cause a denial of service. | ||||||
| Alerts: |
| ||||||
tog-pegasus: stack buffer overflow
| Package(s): | tog-pegasus | CVE #(s): | CVE-2008-0003 | ||||||||||||
| Created: | January 8, 2008 | Updated: | January 12, 2008 | ||||||||||||
| Description: | During a security audit, a stack buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. | ||||||||||||||
| Alerts: |
| ||||||||||||||
unp: code execution via malicious file names
| Package(s): | unp | CVE #(s): | CVE-2007-6610 | ||||
| Created: | January 9, 2008 | Updated: | January 9, 2008 | ||||
| Description: | The unp unpacking tool (prior to version 1.0.14) does not properly check file names, allowing the execution of shell commands. | ||||||
| Alerts: |
| ||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2007-6013 CVE-2007-6318 | ||||||||
| Created: | January 3, 2008 | Updated: | January 9, 2008 | ||||||||
| Description: | The Wordpress online publishing and weblog utility has multiple SQL injection vulnerabilities in versions 2.3.1 and earlier. Remote attackers can use this to execute arbitrary SQL commands via the s parameter. | ||||||||||
| Alerts: |
| ||||||||||
wzdftpd: denial of service
| Package(s): | wzdftpd | CVE #(s): | CVE-2007-5300 | ||||
| Created: | January 7, 2008 | Updated: | January 9, 2008 | ||||
| Description: | From the CVE entry: Off-by-one error in the do_login_loop function in libwzd-core/wzd_login.c in wzdftpd 0.8.0, 0.8.2, and possibly other versions and earlier allows remote attackers to cause a denial of service (daemon crash) via a long USER command that triggers a stack-based buffer overflow. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>