Security
Eee PC security or lack thereof
The Eee PC has garnered a lot of press for its small form factor, low weight, and solid-state disk, but it has also made a poor showing with security researchers. RISE Security released a report on the security of the Eee last week, showing that it can be subverted ("rooted") right out of the box from ASUS. Unfortunately, it is even worse than that as, even after updating an Eee using the standard mechanism, the hole is not patched.
The vulnerability identified by RISE is in the Samba daemon (smbd), version 3.0.24, which is installed and runs on stock Eee PCs. The vulnerability, CVE-2007-2446 was identified and patched last May, so the Eee is shipping with a version of Samba known to be vulnerable to an arbitrary code execution flaw for nine months or so. In itself, that is not completely surprising.
When hardware vendors install a distribution—or commercial OS like Windows—they tend to install the latest released version, which is likely to be out of date with respect to security issues. A vendor installing Fedora 8 or Debian etch today will be behind on countless security updates. But, unlike the Samba problem discovered on the Eee, updates do exist in the standard places. If the new user updates their system immediately, there is a fairly small window of vulnerability.
Unfortunately for Eee owners, the modified Xandros distribution that comes with it does not yet have an update for Samba. This leaves all Eee PCs vulnerable to being rooted by anyone on the same network. Since the Eee is meant as a mobile device, it likely spends a lot of its time connected to various public networks, especially wireless networks. The Eee makes an interesting target for attackers because it very well might have authentication information for banks or brokerages as well as other private or confidential files.
Some have seriously downplayed the threat but it is clear they don't understand it:
Sales of the Eee last year was around 300,000 units; large enough to be an attractive target for the malicious. Because there is not an update to close the hole, Eee users have to rely on other means to protect themselves. This eeeuser.com comment thread provides some of the better advice for dealing with the problem. Removing the Samba package seems to be the simplest, but fairly heavy handed, way to avoid the hole—but many folks need a working Samba. There is no way to disable Samba from the Eee GUI which is the way most owners plan to interact with the machine. This whole incident makes it seem like ASUS (and perhaps Xandros) are not terribly interested in the security of the machines that they sell.
There is a larger issue here. When the normal means of getting security patches comes from the same medium that is also the biggest security threat, there will always be windows of vulnerability. Even if hardware vendors diligently update the distribution they install, there is still some shelf-life and shipping time where security updates can be released. Various studies have shown that there may not be enough time to download patches before an unpatched system succumbs to an attack.
It is a difficult problem to solve completely. Any solution must be very straightforward and consistent so that unsophisticated users can be trained to do it as a matter of course. News about security issues needs to get more widespread attention as well, so that those same users know when the procedure needs to be followed. Firewalls and other network protections only go so far if the machine needs to reach out to the internet to pick up its updates.
If distributions provided some kind of blob (tar file, .deb, .rpm, etc.) that contained all of the security updates since the release, users could grab that from a different (presumably patched or not vulnerable) machine, put it on a USB stick or some other removable media and get it to the new machine. A utility provided by the distribution could then process that blob to apply all the relevant patches—all while the vulnerable machine stayed off the net. As the world domination plan continues, threats against Linux will become more commonplace; we need to try and ensure that users, especially the unsophisticated ones, can be secure in their choice of Linux.
Brief items
Multi-threaded OpenSSH
The folks at the Pittsburgh Supercomputing Center have posted a special version of OpenSSH aimed at high-bandwidth applications. "This cipher mode introduces multi-threading into the OpenSSH application in order to allow it to make full use of CPU resources available on multi-core systems. As the canonical distribution of OpenSSH is unable to make use of more than one core, high performance transfers can be bottlenecked by the cryptographic overhead." It's worth noting that the OpenSSH developers fear the security implications of multi-threading the program and seem uninclined to incorporate this work.
New vulnerabilities
clamav: arbitrary code execution
| Package(s): | clamav | CVE #(s): | CVE-2008-0318 | ||||||||||||||||||||||||
| Created: | February 13, 2008 | Updated: | April 18, 2008 | ||||||||||||||||||||||||
| Description: | From the CVE: Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Doomsday: multiple vulnerabilities
| Package(s): | Doomsday | CVE #(s): | CVE-2007-4642 CVE-2007-4643 CVE-2007-4644 | ||||
| Created: | February 7, 2008 | Updated: | February 13, 2008 | ||||
| Description: | From the Gentoo alert:
Luigi Auriemma discovered multiple buffer overflows in the D_NetPlayerEvent() function, the Msg_Write() function and the NetSv_ReadCommands() function. He also discovered errors when handling chat messages that are not NULL-terminated (CVE-2007-4642) or contain a short data length, triggering an integer underflow (CVE-2007-4643). Furthermore a format string vulnerability was discovered in the Cl_GetPackets() function when processing PSV_CONSOLE_TEXT messages (CVE-2007-4644). This vulnerability can be used for the execution of arbitrary code or to create a denial of service. | ||||||
| Alerts: |
| ||||||
duplicity: password disclosure
| Package(s): | duplicity | CVE #(s): | CVE-2007-5201 | ||||||||
| Created: | February 13, 2008 | Updated: | February 13, 2008 | ||||||||
| Description: | From the CVE: The FTP backend for Duplicity sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments. | ||||||||||
| Alerts: |
| ||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird | CVE #(s): | CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | May 21, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417) A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418) A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | May 21, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420) Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
glib2: buffer overflow
| Package(s): | glib2 | CVE #(s): | |||||
| Created: | February 13, 2008 | Updated: | February 13, 2008 | ||||
| Description: | From the Fedora advisory: PCRE 7.6 fixed following bug: A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. The GLib release 2.14.6 updates the included copy of PCRE to version 7.6. | ||||||
| Alerts: |
| ||||||
gnumeric: arbitrary code execution
| Package(s): | gnumeric | CVE #(s): | CVE-2008-0668 | ||||||||||||||||||||
| Created: | February 13, 2008 | Updated: | August 8, 2008 | ||||||||||||||||||||
| Description: | From the CVE: The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
gnumeric: integer overflow and signedness errors
| Package(s): | gnumeric | CVE #(s): | |||||||||
| Created: | February 8, 2008 | Updated: | February 13, 2008 | ||||||||
| Description: | Gnumeric has an integer overflow and signedness errors in the XLS processing, with unknown consequences. | ||||||||||
| Alerts: |
| ||||||||||
java: multiple vulnerabilities
| Package(s): | java-1.5.0-sun | CVE #(s): | CVE-2008-0657 | ||||||||||||||||||||
| Created: | February 12, 2008 | Updated: | April 25, 2008 | ||||||||||||||||||||
| Description: | Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
kernel: insufficient range checks
| Package(s): | kernel | CVE #(s): | CVE-2008-0007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | January 8, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: local root privilege escalation
| Package(s): | linux-2.6 | CVE #(s): | CVE-2008-0010 CVE-2008-0600 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 11, 2008 | Updated: | June 23, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: memory access violation
| Package(s): | linux-2.6 | CVE #(s): | CVE-2008-0163 | ||||||||||||
| Created: | February 11, 2008 | Updated: | February 13, 2008 | ||||||||||||
| Description: | From the Debian advisory: In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163). | ||||||||||||||
| Alerts: |
| ||||||||||||||
mailman: cross-site scripting
| Package(s): | mailman | CVE #(s): | CVE-2008-0564 | ||||||||||||||||||||||||||||||||||||
| Created: | February 13, 2008 | Updated: | April 15, 2011 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
moin: file overwrite via crafted cookie
| Package(s): | moin | CVE #(s): | |||||||||
| Created: | February 13, 2008 | Updated: | February 13, 2008 | ||||||||
| Description: | From the Fedora advisory: It was discovered that moin allowed to overwrite arbitrary files writable by the user running moin using a crafted cookie with certain user IDs via a directory traversal flaw. This updated package fixes this issue. | ||||||||||
| Alerts: |
| ||||||||||
mozilla: multiple vulnerabilities
| Package(s): | mozilla | CVE #(s): | |||||||||
| Created: | February 13, 2008 | Updated: | July 29, 2008 | ||||||||
| Description: |
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
Upgraded to firefox-2.0.0.12.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
Upgraded to seamonkey-1.1.8.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
+--------------------------+
| ||||||||||
| Alerts: |
| ||||||||||
mplayer: multiple vulnerabilities
| Package(s): | mplayer | CVE #(s): | CVE-2008-0485 CVE-2008-0486 CVE-2008-0629 CVE-2008-0630 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 13, 2008 | Updated: | August 7, 2008 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0485: Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files. CVE-2008-0486: Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing. CVE-2008-0629: Adam Bozanich discovered a buffer overflow in the CDDB access code. CVE-2008-0630: Adam Bozanich discovered a buffer overflow in URL parsing. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
netpbm: buffer overflow
| Package(s): | netpbm | CVE #(s): | CVE-2008-0554 | ||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | November 7, 2008 | ||||||||||||||||||||
| Description: | From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
openldap: denial of service
| Package(s): | openldap | CVE #(s): | CVE-2007-6698 | ||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | April 25, 2008 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36, allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
openldap: denial of service
| Package(s): | openldap | CVE #(s): | CVE-2008-0658 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 13, 2008 | Updated: | July 3, 2008 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the rPath advisory: Previous versions of the openldap package are vulnerable to a Denial of Service attack in which authenticated users can crash the slapd server. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 | CVE #(s): | CVE-2006-4758 CVE-2006-6839 CVE-2006-6840 CVE-2006-6508 CVE-2006-6841 CVE-2008-0471 | ||||
| Created: | February 11, 2008 | Updated: | February 13, 2008 | ||||
| Description: | From the Debian advisory: CVE-2008-0471: Private messaging allowed cross site request forgery, making it possible to delete all private messages of a user by sending them to a crafted web page. CVE-2006-6841 / CVE-2006-6508: Cross site request forgery enabled an attacker to perform various actions on behalf of a logged in user. (Applies to sarge only) CVE-2006-6840: A negative start parameter could allow an attacker to create invalid output. (Applies to sarge only) CVE-2006-6839: Redirection targets were not fully checked, leaving room for unauthorised external redirections via a phpBB forum. (Applies to sarge only) CVE-2006-4758: An authenticated forum administrator may upload files of any type by using specially crafted filenames. (Applies to sarge only) | ||||||
| Alerts: |
| ||||||
SDL_image: buffer overflows
| Package(s): | SDL_image | CVE #(s): | CVE-2007-6697 CVE-2008-0544 | ||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | March 27, 2008 | ||||||||||||||||||||
| Description: | From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
tk: buffer overflow
| Package(s): | tk | CVE #(s): | CVE-2008-0553 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | November 6, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
tomcat: multiple vulnerabilities
| Package(s): | tomcat5 | CVE #(s): | CVE-2007-5342 CVE-2007-5333 CVE-2007-6286 CVE-2007-1355 CVE-2007-1358 CVE-2008-0002 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 13, 2008 | Updated: | September 13, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Refer to the CVE entries for more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
wml: multiple file overwrite vulnerabilities
| Package(s): | wml | CVE #(s): | CVE-2008-0665 CVE-2008-0666 | ||||||||||||||||
| Created: | February 11, 2008 | Updated: | April 28, 2008 | ||||||||||||||||
| Description: | From the Debian advisory: Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to local denial of service by overwriting files. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
wordpress: remote editing via unknown vectors
| Package(s): | wordpress | CVE #(s): | CVE-2008-0664 | ||||||||||||
| Created: | February 13, 2008 | Updated: | July 4, 2008 | ||||||||||||
| Description: | From the CVE: The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>