Security
Fedora and CAPP
Removing the ability for regular users to execute "system" programs has a certain appeal, but does it really provide any extra security? A thread on the fedora-devel mailing list explores that question in the context of usermod (and other, similar tools), which had their permissions changed more than two years ago in an effort to meet security certification requirements. Whether these changes, and at some level the certifications themselves, actually increase the security of the system is the open question.
Callum Lerwick noticed that running usermod no longer worked as a regular user. He has a habit of doing that to get a quick overview of the command syntax and options from the help page, but unless he uses sudo, that doesn't work. That was done on purpose as Steve Grubb describes:
LSPP and CAPP are two protection profiles that are used for Common Criteria
security certifications (such as EAL3) that Red Hat Enterprise Linux (RHEL) has
earned. Because these tools can modify trusted databases
(e.g. /etc/shadow), attempts to run them by untrusted users must
be added to the audit log in order to comply with the certifications. But
adding audit events requires the CAP_AUDIT_WRITE capability bit; in today's
systems that effectively means setuid(0). As Grubb puts it: "IOW, if we open the
permissions, we need to make these become setuid root so
that we send audit events saying they failed.
"
Leaving aside the idea that only processes with root permissions are allowed to generate auditable events—which seems a bit bizarre—there is still the question of how much protection is provided by changing the file permissions. Seth Vidal asks:
Allowing users to download binaries "takes the
system out of the certified configuration
", according to Grubb, "So, if you need to
be in the CAPP
certified configuration, don't let users do this.
" This fairly
clearly demonstrates the dubious nature of the security afforded by the
current certifications. For the most part, the protection profiles
define away nearly all of the interesting threats that most systems face
today.
To a large extent, CAPP/LSPP certifications are the kinds of things listed in marketing materials for "enterprise" operating systems rather than serious attempts to address the real security needs of the vast majority of network connected systems. Grubb provides an excellent overview of some of the requirements of CAPP, along with how they are implemented in Fedora as part of the discussion. The CAPP information page gives the full story, however:
But CAPP does require that all attempts to modify trusted databases like the shadow password file generate an audit trail, so there is a lower-level audit rule set up for that file. Any access to /etc/shadow, for example, is logged as Grubb describes in his overview. That, though, begs other questions as Lerwick points out:
The answer is that auditing execution of usermod by non-root users gains exactly one thing: CAPP compliance. It requires that binaries which modify trusted databases leave an audit trail. Even though any actual attempt to access the underlying file will be logged, just accessing the binary that could modify the file is also something that must be logged.
Part of the dismay displayed in the thread comes from the fact that Fedora will probably never be certified with CAPP for any number of reasons. So taking away longstanding user abilities, though there are reasonable alternatives like man usermod, for a certification that won't be done, doesn't sit well with some in the Fedora community. Though, as Jef Spaleta notes, there might be a use for the certification in a Fedora spin:
There is always going to be tension between the security needs of an "enterprise" distribution like RHEL and a more user/desktop-oriented distribution like Fedora. While the specific reduced functionality in this case is fairly minimal, the discussion increased the visibility of the auditing required for certification as well as what that means for both distributions. The original decision was made back in the Fedora Core days when there was much less visibility and community input into the process. Discussions like this will only help continue the process of opening up Fedora while also exposing some of the inadequacies of security certifications.
Brief items
PHP 5.2.7 withdrawn
The PHP 5.2.7 release has been withdrawn because it introduced a security hole. PHP users are advised to drop back to version 5.2.6 until the developers can put together a 5.2.8 update.Update: PHP 5.2.8 is now available.
New vulnerabilities
Archive::Tar: directory traversal
| Package(s): | Archive-Tar | CVE #(s): | CVE-2007-4829 | ||||||||||||||||||||||||||||||||
| Created: | December 10, 2008 | Updated: | July 22, 2010 | ||||||||||||||||||||||||||||||||
| Description: | The Archive::Tar perl module, prior to version 1.40, suffers from a directory traversal vulnerability exploitable via a specially-crafted tar file. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
awstats: fix incomplete fix for CVE-2008-3714
| Package(s): | awstats | CVE #(s): | CVE-2008-5080 | ||||||||||||||||
| Created: | December 8, 2008 | Updated: | October 13, 2009 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry: It was discovered that the upstream patch for cross-site scripting (XSS) issue in awstats known as CVE-2008-3714 does not completely resolve the problem and it still allows injection of quote characters. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2008-5314 | ||||||||||||||||||||
| Created: | December 4, 2008 | Updated: | December 24, 2008 | ||||||||||||||||||||
| Description: | clamav has a denial of service vulnerability. From the Debian advisory: Ilja van Sprundel discovered that ClamAV contains a denial of service condition in its JPEG file processing because it does not limit the recursion depth when processing JPEG thumbnails (CVE-2008-5314). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
compiz-plugins: illegal access to desktop
| Package(s): | compiz-plugins | CVE #(s): | |||||
| Created: | December 9, 2008 | Updated: | December 10, 2008 | ||||
| Description: | From the Ubuntu advisory: It was discovered that the Expo plugin for Compiz did not correctly restrict the screensaver window from being moved with the mouse. A local attacker could use the mouse to move the screensaver off the screen and gain access to the locked desktop session underneath. Default installs of Ubuntu were not vulnerable as Expo does not come pre-configured with mouse bindings. | ||||||
| Alerts: |
| ||||||
dbus: security bypass
| Package(s): | dbus | CVE #(s): | CVE-2008-4311 | ||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | April 21, 2009 | ||||||||||||||||||||
| Description: | From the freedesktop.org advisory Joachim Breitner discovered a mistake in the default configuration for the system bus (system.conf) which made the default policy for both sent and received messages effectively *allow*, and not deny as intended. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
java: arbitrary code execution
| Package(s): | java | CVE #(s): | CVE-2008-2086 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 4, 2008 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Java has an arbitrary code execution vulnerability. From the Red Hat alert: A vulnerability was found in in Java Web Start. If a user visits a malicious website, an attacker could misuse this flaw to execute arbitrary code. (CVE-2008-2086) | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
java-1.6.0-openjdk: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk | CVE #(s): | CVE-2008-5350 CVE-2008-5349 CVE-2008-5347 CVE-2008-5348 CVE-2008-5360 CVE-2008-5359 CVE-2008-5351 CVE-2008-5356 CVE-2008-5352 CVE-2008-5358 CVE-2008-5353 CVE-2008-5354 CVE-2008-5357 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory:
[ 1 ] Bug #472201 - CVE-2008-5350 OpenJDK allows to list files within the user home directory
(6484091)
https://bugzilla.redhat.com/show_bug.cgi?id=472201 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: buffer overflow
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-5134 | ||||||||||||||||
| Created: | December 5, 2008 | Updated: | February 4, 2009 | ||||||||||||||||
| Description: | The Kernel has a buffer overflow vulnerability. From the national vulnerability database entry: Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem in the Linux kernel before 2.6.27.5 allows remote attackers to have an unknown impact via an "invalid beacon/probe response." | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: denial of service
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-5300 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 5, 2008 | Updated: | November 4, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a denial of service vulnerability. From the national vulnerability database entry: Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-5182 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 5, 2008 | Updated: | February 25, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a privilege escalation vulnerability. From the national vulnerability database entry: The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-5079 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 9, 2008 | Updated: | October 5, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lcms: buffer overflows
| Package(s): | lcms | CVE #(s): | CVE-2008-5316 CVE-2008-5317 | ||||||||||||||||
| Created: | December 10, 2008 | Updated: | January 8, 2009 | ||||||||||||||||
| Description: | The lcms color management utility suffers from a couple of buffer overflow vulnerabilities which could be exploited via a specially-crafted image file. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mgetty: insecure use of tmp file
| Package(s): | mgetty | CVE #(s): | CVE-2008-4936 | ||||
| Created: | December 8, 2008 | Updated: | December 10, 2008 | ||||
| Description: | From the Gentoo advisory: Dmitry E. Oboukhov reported that the "spooldir" directory in fax/faxspool.in is created in an insecure manner. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-6420 CVE-2008-2364 CVE-2008-2939 | ||||||||||||||||||||||||
| Created: | December 5, 2008 | Updated: | December 7, 2009 | ||||||||||||||||||||||||
| Description: | The Apache web server has multiple vulnerabilities.
From the Red Hat vulnerability report:
A flaw was found in the mod_proxy module. An attacker who has control of a web server to which requests are being proxied could cause a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp module. Where Apache is configured to support ftp-over-httpd proxying, a remote attacker could perform a cross-site scripting attack. (CVE-2008-2939) A cross-site request forgery issue was found in the mod_proxy_balancer module. A remote attacker could cause a denial of service if mod_proxy_balancer is enabled and an authenticated user is targeted. (CVE-2007-6420) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ruby: denial of service
| Package(s): | ruby | CVE #(s): | CVE-2008-4310 | ||||
| Created: | December 5, 2008 | Updated: | December 10, 2008 | ||||
| Description: | ruby has a denial of service vulnerability. From the Red Hat security advisory: Vincent Danen reported, that Red Hat Security Advisory RHSA-2008:0897 did not properly address a denial of service flaw in the WEBrick (Ruby HTTP server toolkit), known as CVE-2008-3656. This flaw allowed a remote attacker to send a specially-crafted HTTP request to a WEBrick server that would cause the server to use excessive CPU time. This update properly addresses this flaw. (CVE-2008-4310) | ||||||
| Alerts: |
| ||||||
squirrelmail: cross-site scripting
| Package(s): | squirrelmail | CVE #(s): | CVE-2008-2379 | ||||||||||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | May 13, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Ivan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
syslog-ng: chroot jail escape
| Package(s): | syslog-ng | CVE #(s): | CVE-2008-5110 | ||||||||||||||||
| Created: | December 8, 2008 | Updated: | July 13, 2009 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry: syslog-ng does not call chdir before it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
vim: information exposure
| Package(s): | vim | CVE #(s): | CVE-2008-4677 | ||||||||||||
| Created: | December 4, 2008 | Updated: | March 24, 2009 | ||||||||||||
| Description: | The vim editor has an information exposure vulnerability. From the Mandriva alert: A vulnerability was found in certain versions of netrw.vim where it would send FTP credentials stored for an FTP session to subsequent FTP sessions to servers on different hosts, exposing FTP credentials to remote hosts (CVE-2008-4677). | ||||||||||||||
| Alerts: |
| ||||||||||||||
vinagre: format string flaw
| Package(s): | vinagre | CVE #(s): | |||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | December 11, 2008 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Alfredo Ortega discovered a flaw in Vinagre's use of format strings. A remote attacker could exploit this vulnerability if they tricked a user into connecting to a malicious VNC server, or opening a specially crafted URI with Vinagre. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>