User: Password:
|
|
Subscribe / Log in / New account

Security

Debian vulnerability has widespread effects

By Jake Edge
May 14, 2008

The recent Debian advisory for OpenSSL could lead to predictable cryptographic keys being generated on affected systems. Unfortunately, because of the way keys are used, especially by ssh, this can lead to problems on systems that never installed the vulnerable library. In addition, because the OpenSSL library is used in a wide variety of services that require cryptography, a very large subset of security tools are affected. This is a wide-ranging vulnerability that affects a substantial fraction of Linux systems.

For a look at the chain of errors that led to the vulnerability, see our front page article. Here, we will concentrate on some of the details of the code, the impact of the vulnerability, and what to do about it.

An excellent tool for finding memory-related bugs, Valgrind was used on an application that used the OpenSSL library. It complained about the library using uninitialized memory in two locations in crypto/rand/md_rand.c:

    247:
            MD_Update(&m,buf,j);

    467:
    #ifndef PURIFY
            MD_Update(&m,buf,j); /* purify complains */
    #endif
While the lines of code look remarkably similar (modulo the pre-processor directive), their actual effect is very different.

The first is contained in the ssleay_rand_add() function, which is normally called via the RAND_add() function. It adds the contents of the passed in buffer to the entropy pool of the pseudo-random number generator (PRNG). The other is contained in ssleay_rand_bytes(), normally called via RAND_bytes(), which is meant to return random bytes. It adds the contents of the passed in buffer—before filling it with random bytes to return—to the entropy pool as well. The major difference is that removing the latter might marginally reduce the entropy in the PRNG pool, while removing the former effectively stops any entropy from being added to the pool.

For both RAND_add() and RAND_bytes(), the buffer that gets passed in may not have been initialized. This was evidently known by the OpenSSL folks, but remained undocumented for others to trip over later. The "#ifndef PURIFY" is a clue that someone, at some point, tried to handle the same kind of problem that Valgrind was reporting for the similar, but proprietary, Purify tool. While it isn't necessarily wrong to add these uninitialized buffers to the PRNG pool, it is something that tools like Valgrind will rightly complain about. Since it is dubious whether it adds much in the way of entropy, while constituting a serious hazard for uninitiated, some kind of documentation in the code would seem mandatory.

The major response from the OpenSSL team seems to be from core team member Ben Laurie's weblog, where he has a rant entitled "Vendors Are Bad For Security". In it, and its follow-up, he makes some good points about mistakes that were made, while seeming to be unwilling for OpenSSL to take any share of the blame.

The end result is that OpenSSL would create predictable random numbers, which would then result in predictable cryptographic keys. According to the advisory:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

A program that can detect some weak keys has also been released. It uses 256K hash values to detect the bad keys, which would imply 18-bits of entropy in the PRNG pool of vulnerable OpenSSL libraries. By using hashes of the keys in the detection program, the authors do not directly give away the key values that get generated, but it should not be difficult for an attacker to generate and use that list.

For affected Debian-derived systems, the cleanup is relatively straightforward, if painful. The SSLkeys page on the Debian wiki has specific information on how to remove weak keys along with how to generate new ones for a variety of services affected. Obviously, none of those steps should be taken until the OpenSSL package itself has been upgraded to a version that fixes the hole.

A bigger problem may be for those installations based on distributions that were not directly affected because they did not distribute the vulnerable OpenSSL library. Those machines may very well have weak keys installed in user accounts as ssh authorized_keys. A user who generated a key pair on some vulnerable host may have copied the public key to a host that was not vulnerable. This would allow an attacker to access the account of that user by brute forcing the key from the 256K possibilities.

Because of that danger, the Debian project suspended public key authentication on debian.org machines. In addition, all passwords were reset because of the possibility that an attacker could have captured them by decrypting the ssh traffic using one of the weak keys. One would guess that debian.org machines would have a higher incidence of weak keys, but any host that allows users to use ssh public key authentication is potentially at risk.

The weak key detector (dowkd) has some fairly serious limitations:

dowkd currently handles OpenSSH host and user keys and OpenVPN shared secrets, as long as they use default key lengths and have been created on a little-endian architecture (such as i386 or amd64). Note that the blacklist by dowkd may be incomplete; it is only intended as a quick check.

In order to ensure that there are no weak keys installed as public keys on other hosts, it may be necessary to remove all authorized_keys (and/or authorized_keys2) entries for all users. It may also be wise to set all passwords to something unknown. Until that is done, there still remains a chance that a weak key may allow access to an attacker. It is a unpleasant task that needs to be done for those who administer a multi-user system.

Comments (31 posted)

Brief items

Brute-Force SSH Server Attacks Surge (InformationWeek)

InformationWeek reports on an increase in attacks against SSH servers. "The paper focuses on the vulnerability of Linux systems to brute-force SSH attacks... 'Linux systems face a unique threat of compromise from brute-force attacks against SSH servers that may be running without the knowledge of system owners/operators. Many Linux distributions install the SSH service by default, some without the benefit of an effective firewall.'"

Comments (37 posted)

Mozilla ships a compromised extension

From the Mozilla security blog: "The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions. Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy." Presumably this is only an issue for Windows users, but it is still scary. More information can be found in bugzilla.

Comments (6 posted)

Cryptographic weakness on Debian systems

The Debian project has sent out an advisory stating that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable. "It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised." The project has disabled public key logins on its internal infrastructure in response.

Comments (111 posted)

Tech Insight: Finding & Prioritizing Web Application Vulnerabilities (Dark Reading)

Dark Reading analyzes web application vulnerabilities with an eye towards triage—choosing the right ones to address first. "While there are many Web application vulnerabilities, they aren't all the same. Each one may represent different levels of danger to different organizations, depending on the sensitivity of the data available through the site, user access privileges, and the accessibility of other internal systems from the Web and database servers."

Comments (none posted)

New vulnerabilities

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2008-2103 CVE-2008-2105
Created:May 12, 2008 Updated:May 14, 2008
Description:

From the Red Hat bugzilla:

CVE-2008-2103: Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list.

CVE-2008-2105: email_in.pl in Bugzilla 2.23.4, and later versions before 3.0, allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message, which overrides the e-mail address as normally obtained from the From e-mail header. NOTE: since From headers are easily spoofed, this only crosses privilege boundaries in environments that provide additional verification of e-mail addresses.

Alerts:
Fedora FEDORA-2008-3668 bugzilla 2008-05-13
Fedora FEDORA-2008-3442 bugzilla 2008-05-09
Fedora FEDORA-2008-3488 bugzilla 2008-05-09

Comments (none posted)

cdf: buffer overflow

Package(s):cdf CVE #(s):CVE-2008-2080
Created:May 14, 2008 Updated:May 14, 2008
Description: Versions of the Common Data Format library prior to 3.2.1 suffer from a buffer overflow which could be exploitable via a specially-crafted CDF file.
Alerts:
Gentoo 200805-14 cdf 2008-05-13

Comments (none posted)

egroupware: denial of service

Package(s):egroupware CVE #(s):CVE-2008-2041 CVE-2008-1502
Created:May 8, 2008 Updated:October 13, 2009
Description: From the Gentoo alert:

A vulnerability has been reported in FCKEditor due to the way that file uploads are handled in the file editor/filemanager/upload/php/upload.php when a filename has multiple file extensions (CVE-2008-2041). Another vulnerability exists in the _bad_protocol_once() function in the file phpgwapi/inc/class.kses.inc.php, which allows remote attackers to bypass HTML filtering (CVE-2008-1502).

Alerts:
Debian DSA-1871-2 wordpress 2009-08-27
Mandriva MDVSA-2009:265 egroupware 2009-08-09
Debian DSA-1871-1 wordpress 2009-08-23
Debian DSA-1691-1 moodle 2008-12-22
Ubuntu USN-658-1 moodle 2008-10-23
SuSE SUSE-SR:2008:015 moddle, clamav, zypper, mercurial, poppler 2008-07-18
Fedora FEDORA-2008-6226 moodle 2008-07-09
Gentoo 200805-04 egroupware 2008-05-07

Comments (none posted)

gforge: temporary file vulnerability

Package(s):gforge CVE #(s):CVE-2008-0167
Created:May 14, 2008 Updated:May 14, 2008
Description: GForge opens files for writing in an insecure manner, leaving open the possibility of file overwrite attacks by a local user.
Alerts:
Debian DSA-1577-1 gforge 2008-05-14

Comments (none posted)

firebird: information disclosure

Package(s):firebird CVE #(s):CVE-2008-1880
Created:May 9, 2008 Updated:May 14, 2008
Description: From the Gentoo advisory: Viesturs reported that the default configuration for Gentoo's init script ("/etc/conf.d/firebird") sets the "ISC_PASSWORD" environment variable when starting Firebird. It will be used when no password is supplied by a client connecting as the "SYSDBA" user.
Alerts:
Gentoo 200805-06 firebird 2008-05-09

Comments (1 posted)

imagemagick: heap-based buffer overflows

Package(s):ImageMagick CVE #(s):CVE-2008-1096 CVE-2008-1097
Created:May 9, 2008 Updated:November 19, 2013
Description: From the Mandriva advisory:

A heap-based buffer overflow vulnerability was found in how ImageMagick parsed XCF files. If ImageMagick opened a specially-crafted XCF file, it could be made to overwrite heap memory beyond the bounds of its allocated memory, potentially allowing an attacker to execute arbitrary code on the system running ImageMagick (CVE-2008-1096).

Another heap-based buffer overflow vulnerability was found in how ImageMagick processed certain malformed PCX images. If ImageMagick opened a specially-crafted PCX image file, an attacker could possibly execute arbitrary code on the system running ImageMagick (CVE-2008-1097).

Alerts:
Gentoo 201311-10 graphicsmagick 2013-11-18
Oracle ELSA-2012-0301 imagemagick 2012-03-07
Debian DSA-1858-1 imagemagick 2009-08-10
Ubuntu USN-681-1 imagemagick 2008-12-01
SuSE SUSE-SR:2008:014 sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 2008-07-04
Mandriva MDVSA-2008:099 ImageMagick 2007-05-08

Comments (none posted)

inspIRCd: buffer overflow

Package(s):inspircd CVE #(s):CVE-2008-1925
Created:May 9, 2008 Updated:May 14, 2008
Description: From the CVE entry: Buffer overflow in InspIRCd before 1.1.18, when using the namesx and uhnames modules, allows remote attackers to cause a denial of service (daemon crash) via a large number of channel users with crafted nicknames, idents, and long hostnames.
Alerts:
Gentoo 200805-08 inspircd 2008-05-09

Comments (none posted)

libid3tag: infinite loop

Package(s):libid3tag CVE #(s):CVE-2008-2109
Created:May 13, 2008 Updated:May 20, 2008
Description: From the CVE entry: field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop.
Alerts:
Mandriva MDVSA-2008:103 libid3tag 2008-05-19
Fedora FEDORA-2008-3976 libid3tag 2008-05-14
Fedora FEDORA-2008-3874 libid3tag 2008-05-14
Gentoo 200805-15 libid3tag 2008-05-14
Fedora FEDORA-2008-3757 libid3tag 2008-05-13

Comments (none posted)

libvorbis: multiple vulnerabilities

Package(s):libvorbis CVE #(s):CVE-2008-1419 CVE-2008-1420 CVE-2008-1423
Created:May 14, 2008 Updated:August 25, 2009
Description: The libvorbis library contains several vulnerabilities exploitable by way of a specially-crafted Ogg file.
Alerts:
Ubuntu USN-825-1 libvorbis 2009-08-24
Ubuntu USN-682-1 libvorbis 2008-12-01
Gentoo 200806-09:02 libvorbis 2008-06-23
SuSE SUSE-SR:2008:012 xine, xemacs, emacs, opensuse-updater, libvorbis, vorbis-tools, pdns-recursor, openwsman 2008-06-06
Debian DSA-1591-1 libvorbis 2008-06-03
Mandriva MDVSA-2008:102 libvorbis 2007-05-16
Fedora FEDORA-2008-3910 libvorbis 2008-05-14
Fedora FEDORA-2008-3934 libvorbis 2008-05-14
Fedora FEDORA-2008-3898 libvorbis 2008-05-14
CentOS CESA-2008:0270 libvorbis 2008-05-14
Red Hat RHSA-2008:0271-01 libvorbis 2008-05-14
Red Hat RHSA-2008:0270-01 libvorbis 2008-05-14

Comments (none posted)

licq: denial of service

Package(s):licq CVE #(s):CVE-2008-1996
Created:May 13, 2008 Updated:July 31, 2008
Description: From the CVE entry: licq before 1.3.6 allows remote attackers to cause a denial of service (file-descriptor exhaustion and application crash) via a large number of connections.
Alerts:
Mandriva MDVSA-2008:159 licq 2008-07-30
Fedora FEDORA-2008-3969 licq 2008-05-14
Fedora FEDORA-2008-3909 licq 2008-05-14
Fedora FEDORA-2008-3812 licq 2008-05-13

Comments (none posted)

ltsp: multiple vulnerabilities

Package(s):ltsp CVE #(s):
Created:May 9, 2008 Updated:May 14, 2008
Description: The Linux Terminal Server Project ships copies of packages with vulnerabilities. Many of these vulnerabilities have likely been fixed by your distribution provider in the individual packages, but not in the ltsp bundled copies.
Alerts:
Gentoo 200805-07 ltsp 2008-05-09

Comments (none posted)

moinmoin: privilege escalation

Package(s):moinmoin CVE #(s):CVE-2008-1937
Created:May 12, 2008 Updated:May 14, 2008
Description:

From the Gentoo advisory:

It has been reported that the user form processing in the file userform.py does not properly manage users when using Access Control Lists or a non-empty superusers list.

A remote attacker could exploit this vulnerability to gain superuser privileges on the application.

Alerts:
Gentoo 200805-09 moinmoin 2008-05-11

Comments (none posted)

nagios: cross-site scripting

Package(s):nagios CVE #(s):CVE-2007-5803 CVE-2008-1360
Created:May 9, 2008 Updated:September 14, 2009
Description: From the CVE entry: Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624.
Alerts:
Debian DSA-1883-2 nagios2 2009-09-14
Debian DSA-1883-1 nagios2 2009-09-10
Mandriva MDVSA-2009:054 nagios 2009-02-24
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09

Comments (none posted)

openssl: predictable random number generator

Package(s):openssl CVE #(s):CVE-2008-0166
Created:May 13, 2008 Updated:June 19, 2008
Description: This Debian advisory states that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable. See also this brief article for more information.
Alerts:
Ubuntu USN-612-11 openssl-blacklist 2008-06-18
Ubuntu USN-612-9 openssl-blacklist 2008-06-12
Ubuntu USN-612-10 openvpn 2008-06-12
Ubuntu USN-612-8 openssl-blacklist 2008-05-21
Ubuntu USN-612-7 openssh 2008-05-20
Debian DSA-1576-2 openssh 2008-05-16
Ubuntu USN-612-6 openvpn 2008-05-14
Ubuntu USN-612-5 openssh 2008-05-14
Debian DSA-1576-1 openssh 2008-05-14
Ubuntu USN-612-4 ssl-cert 2008-05-14
Ubuntu USN-612-3 openvpn 2008-05-13
Debian DSA-1571-1 openssl 2008-05-13
Ubuntu USN-612-2 openssh 2008-05-13
Ubuntu USN-612-1 openssl 2008-05-13

Comments (none posted)

php5: multiple vulnerabilities

Package(s):php5 CVE #(s):CVE-2007-3806 CVE-2008-1384 CVE-2008-2050 CVE-2008-2051
Created:May 12, 2008 Updated:January 22, 2009
Description:

From the Debian advisory:

CVE-2007-3806: The glob function allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter.

CVE-2008-1384: Integer overflow allows context-dependent attackers to cause a denial of service and possibly have other impact via a printf format parameter with a large width specifier.

CVE-2008-2050: Stack-based buffer overflow in the FastCGI SAPI.

CVE-2008-2051: The escapeshellcmd API function could be attacked via incomplete multibyte chars.

Alerts:
Mandriva MDVSA-2009:022 php 2009-01-21
Mandriva MDVSA-2009:023 php 2009-01-21
Gentoo 200811-05 php 2008-11-16
Ubuntu USN-628-1 php5 2008-07-23
CentOS CESA-2008:0545 php 2008-07-16
CentOS CESA-2008:0544 PHP 2008-07-16
Red Hat RHSA-2008:0545-01 php 2008-07-16
Red Hat RHSA-2008:0544-01 PHP 2008-07-16
Red Hat RHSA-2008:0582-01 PHP 2008-07-22
Red Hat RHSA-2008:0546-01 PHP 2008-07-16
Mandriva MDVSA-2008:128 php 2008-07-03
Mandriva MDVSA-2008:127 php 2008-07-03
Mandriva MDVSA-2008:125 php 2008-07-03
Mandriva MDVSA-2008:126 php 2007-07-03
SuSE SUSE-SR:2008:014 sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 2008-07-04
Red Hat RHSA-2008:0505-01 RH Application Stack 2008-07-02
Fedora FEDORA-2008-3606 php 2008-06-20
Fedora FEDORA-2008-3864 php 2008-06-20
rPath rPSA-2008-0178-1 php 2008-05-27
rPath rPSA-2008-0176-1 php 2008-05-23
Debian DSA-1578-1 php4 2008-05-17
Debian DSA-1572-1 php5 2008-05-11

Comments (none posted)

php: PATH_TRANSLATED miscalculation

Package(s):php CVE #(s):CVE-2008-0599
Created:May 8, 2008 Updated:November 17, 2008
Description: From the National Vulnerability Database: CVE-2008-0599: cgi_main.c in PHP before 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors.
Alerts:
Gentoo 200811-05 php 2008-11-16
Ubuntu USN-628-1 php5 2008-07-23
Mandriva MDVSA-2008:128 php 2008-07-03
Mandriva MDVSA-2008:127 php 2008-07-03
Red Hat RHSA-2008:0505-01 RH Application Stack 2008-07-02
Fedora FEDORA-2008-3606 php 2008-06-20
Fedora FEDORA-2008-3864 php 2008-06-20
rPath rPSA-2008-0176-1 php 2008-05-23
Slackware SSA:2008-128-01 php 2008-05-08

Comments (none posted)

rdesktop: multiple vulnerabilities

Package(s):rdesktop CVE #(s):CVE-2008-1801 CVE-2008-1802 CVE-2008-1803
Created:May 12, 2008 Updated:September 19, 2008
Description:

From the Debian advisory:

CVE-2008-1801: Remote exploitation of an integer underflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user.

CVE-2008-1802: Remote exploitation of a BSS overflow vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user.

CVE-2008-1803: Remote exploitation of an integer signedness vulnerability allows attackers to execute arbitrary code with the privileges of the logged-in user.

Alerts:
Ubuntu USN-646-1 rdesktop 2008-09-18
SuSE SUSE-SA:2008:041 openwsman 2008-08-14
Red Hat RHSA-2008:0575-01 rdesktop 2008-07-24
Red Hat RHSA-2008:0725-01 rdesktop 2008-07-24
Red Hat RHSA-2008:0576-01 rdesktop 2008-07-24
CentOS CESA-2008:0576 rdesktop 2008-07-25
CentOS CESA-2008:0575 rdesktop 2008-07-24
Gentoo 200806-04 rdesktop 2008-06-14
Slackware SSA:2008-148-01 rdesktop 2008-05-28
Mandriva MDVSA-2008:101 rdesktop 2007-05-16
Fedora FEDORA-2008-3886 rdesktop 2008-05-14
Fedora FEDORA-2008-3917 rdesktop 2008-05-14
Fedora FEDORA-2008-3985 rdesktop 2008-05-14
Debian DSA-1573-1 rdesktop 2008-05-11

Comments (none posted)

sarg: stack buffer overflows

Package(s):sarg CVE #(s):CVE-2008-1922
Created:May 9, 2008 Updated:September 8, 2010
Description: Multiple stack buffer overflows have been fixed in the Squid logfile analyzer sarg.
Alerts:
Gentoo 201009-04 sarg 2010-09-07
Mandriva MDVSA-2009:073 sarg 2009-03-10
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09

Comments (none posted)

sipp: arbitrary code execution

Package(s):sipp CVE #(s):CVE-2008-1959
Created:May 12, 2008 Updated:May 14, 2008
Description:

From the Fedora advisory:

Stack-based buffer overflow in the get_remote_video_port_media function in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted SIP message.

Alerts:
Fedora FEDORA-2008-3690 sipp 2008-05-13
Fedora FEDORA-2008-3508 sipp 2008-05-09

Comments (none posted)

X11 terms: privilege escalation

Package(s):aterm CVE #(s):CVE-2008-1142 CVE-2008-1692
Created:May 8, 2008 Updated:October 30, 2008
Description: Privilege escalation vulnerabilities have been found in the following X11 terminal emulators: aterm, Eterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm.

From the Gentoo alert:

Bernhard R. Link discovered that Eterm opens a terminal on :0 if the "-display" option is not specified and the DISPLAY environment variable is not set. Further research by the Gentoo Security Team has shown that aterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm are also affected.

Alerts:
Mandriva MDVSA-2008:222 Eterm 2008-10-29
Mandriva MDVSA-2008:221 aterm 2008-10-29
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
Mandriva MDVSA-2008:161 rxvt 2007-08-07
Gentoo 200805-03 aterm 2008-05-07

Comments (none posted)

xen: multiple vulnerabilities

Package(s):xen CVE #(s):CVE-2007-5730 CVE-2008-1943 CVE-2008-1944 CVE-2008-2004
Created:May 13, 2008 Updated:May 13, 2009
Description: From the Red Hat advisory:

Tavis Ormandy found that QEMU did not perform adequate sanity-checking of data received via the "net socket listen" option. A malicious local administrator of a guest domain could trigger this flaw to potentially execute arbitrary code outside of the domain. (CVE-2007-5730)

Markus Armbruster discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the frontend's framebuffer description. This could allow a malicious user to cause a denial of service, or to use a specially crafted frontend to compromise the privileged domain (Dom0). (CVE-2008-1943)

Daniel P. Berrange discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the format of messages serving to update the contents of the framebuffer. This could allow a malicious user to cause a denial of service, or compromise the privileged domain (Dom0). (CVE-2008-1944)

Chris Wright discovered a security vulnerability in the QEMU block format auto-detection, when running fully-virtualized guests. Such fully-virtualized guests, with a raw formatted disk image, were able to write a header to that disk image describing another format. This could allow such guests to read arbitrary files in their hypervisor's host. (CVE-2008-2004)

Alerts:
Ubuntu USN-776-2 USN-776-1 fixed 2009-05-13
Ubuntu USN-776-1 kvm 2009-05-12
Mandriva MDVSA-2008:162 qemu 2008-08-07
SuSE SUSE-SR:2008:013 thunderbird, xulrunner, tkimg, cups, qemu, gstreamer010-plugins-good, pan, libxslt 2008-06-13
CentOS CESA-2008:0194 xen 2008-05-16
Red Hat RHSA-2008:0194-01 xen 2008-05-13

Comments (none posted)

zoneminder: arbitrary code execution

Package(s):zoneminder CVE #(s):CVE-2008-1381
Created:May 12, 2008 Updated:May 14, 2008
Description:

From the Red Hat bugzilla:

ZoneMinder prior to version 1.23.3 contains unescaped PHP exec() calls which can allow an authorised remote user the ability to run arbitrary code as the Apache httpd user.

Alerts:
Fedora FEDORA-2008-3601 zoneminder 2008-05-13
Fedora FEDORA-2008-3462 zoneminder 2008-05-09
Fedora FEDORA-2008-3516 zoneminder 2008-05-09

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds