Security
SSL certificates and MD5 collisions
There is a fair amount of confusion surrounding the recent research resulting in the ability to create bogus SSL certificates. The research combined a weakness in the certificate generation process with the ability to create MD5 hash collisions and generated a certificate that would be accepted by all browsers. That certificate could be used to sign other certificates, allowing the researchers to create a valid certificate purporting to be from any domain they chose.
Cryptographic hashes, like MD5, are used in digital signature algorithms; in effect it is the hash that is signed as a stand-in for the actual content. It has been known since 2004 that MD5 collisions—two different inputs generating the same hash value—could feasibly be found. So, a signature on data with a specific MD5 hash would be considered a valid signature on any other data that hashed to the same value. What the researchers did was to create a certificate that the certificate authority (CA), in this case RapidSSL, was willing to sign, then transferred that signature to a different certificate. That second certificate hashed to the same value, but had the ability to sign additional certificates.
This is a very significant attack on SSL that was addressed rather quickly. One wonders why these certificate authorities were still using MD5 long after it had been deprecated because of the collision vulnerability. Inertia is the likely culprit, but RapidSSL and other CAs using MD5 changed to SHA-1 within hours of the report in some cases. In addition, RapidSSL stopped using sequential serial numbers in certificates. That flaw helped the researchers immensely, so that they only needed four attempts (with a 200 node Playstation 3 cluster) to create their colliding certificate. A random serial number over a sizable range once again makes this attack infeasible—at least on today's hardware.
Eventually, MD5 will no longer be accepted as the hash used in the signatures on certificates—or anything else, probably—but as of now, SSL implementations will accept them. There are large numbers of such certificates in use today, so browsers cannot just stop accepting them. CAs are generally offering their customers free replacement certificates that use SHA-1. Because users rarely root through the certificates presented to their browser to determine what hash algorithm was used, there is a extension for Firefox called SSL Blacklist that detects these certificates and pops up a warning.
But, for those sites affected—LWN for example—it can be a bit worrying to hear from users that their certificate may be bad. The LWN certificate and countless others are really no more vulnerable to this attack than any other. A site that has an SHA-1 signature can be spoofed by this attack as easily as one with an MD5 signature. But a site that has an MD5 signed certificate does make it harder to switch away from MD5. That switch won't happen soon in any case, but it could be slowed down by sites that are slow to change.
If an attacker currently has a certificate of the type that the researchers created, they can use it to sign certificates for any domain they wish, and they can use SHA-1 in that signature. This particular vulnerability requires an MD5 signed certificate in the chain of certificates, but does not require that the final, domain-specific certificate be signed with MD5. It should also be noted that some of the root certificates distributed with browsers are MD5-signed. Those are not vulnerable because they are distributed with the browser—if an attacker can change one's root certificate stash, there are much easier attacks possible. For this reason, SSL Blacklist looks for MD5 signatures in the certificate chain anywhere after the root certificate.
This incident is a good illustration of how cryptographic research often proceeds. First, small cracks are found in an algorithm, causing some worry in cryptographic circles, then partial attacks are found, which generally starts to raise the alarm in the wider security community. But it usually takes a full-scale attack or proof-of-concept to really cause those who use the algorithms, knowingly or unknowingly, to take remedial action. That delay provides a nice window that attackers can and will exploit.
New vulnerabilities
bind: validation bypass
Package(s): | Bind | CVE #(s): | CVE-2009-0025 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | January 9, 2009 | Updated: | July 30, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Red Hat advisory: A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
cups: insecure tmp file usage
Package(s): | cups, cupsys | CVE #(s): | CVE-2008-5377 | ||||
Created: | January 12, 2009 | Updated: | January 14, 2009 | ||||
Description: | From the Ubuntu advisory: It was discovered that the example pstopdf CUPS filter created log files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. | ||||||
Alerts: |
|
gforge: insufficient input sanitizing
Package(s): | gforge | CVE #(s): | CVE-2008-2381 | ||||
Created: | January 9, 2009 | Updated: | January 14, 2009 | ||||
Description: | From the Debian advisory: It was discovered that GForge, a collaborative development tool, insufficiently sanitizes some input allowing a remote attacker to perform SQL injection. | ||||||
Alerts: |
|
git: arbitrary code execution
Package(s): | git | CVE #(s): | CVE-2008-5517 | ||||||||||||||||||||||||
Created: | January 12, 2009 | Updated: | March 9, 2009 | ||||||||||||||||||||||||
Description: | From the SUSE advisory: Insufficient quoting of shell characters allowed remote attackers to execute arbitrary commands via the git web interface (CVE-2008-5517) | ||||||||||||||||||||||||||
Alerts: |
|
hplip: privilege escalation
Package(s): | hplip | CVE #(s): | |||||
Created: | January 14, 2009 | Updated: | January 16, 2009 | ||||
Description: | The hplip installation script was caught in the act of modifying permissions on files in users' home directories. This behavior could be exploited by a local user to change permissions on arbitrary files. | ||||||
Alerts: |
|
imap: denial of service
Package(s): | imap | CVE #(s): | CVE-2008-5514 | ||||||||||||||||||||||||||||||||
Created: | January 12, 2009 | Updated: | January 6, 2010 | ||||||||||||||||||||||||||||||||
Description: | From the SUSE advisory: Insufficient buffer length checks in the imap client library may crash applications that use the library to print formatted email addresses. The imap daemon itself is not affected but certain versions of e.g. the php imap module are (CVE-2008-5514). | ||||||||||||||||||||||||||||||||||
Alerts: |
|
java: multiple vulnerabilities
Package(s): | Java | CVE #(s): | CVE-2008-5339 CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5355 | ||||||||||||||||||||||||||||||||||||
Created: | January 9, 2009 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||||||||||
Description: | Numerous security issues such as privilege escalations, and sandbox breakouts were found in Sun's Java package. | ||||||||||||||||||||||||||||||||||||||
Alerts: |
|
jhead: multiple vulnerabilities
Package(s): | jhead | CVE #(s): | CVE-2008-4639 CVE-2008-4640 CVE-2008-4641 | ||||||||||||||||||||
Created: | January 12, 2009 | Updated: | March 5, 2009 | ||||||||||||||||||||
Description: | From the Gentoo advisory: * An insecure creation of a temporary file (CVE-2008-4639). * A error when unlinking a file (CVE-2008-4640). * Insufficient escaping of shell metacharacters (CVE-2008-4641). A remote attacker could possibly execute arbitrary code by enticing a user or automated system to open a file with a long filename or via unspecified vectors. It is also possible to trick a user into deleting or overwriting files. | ||||||||||||||||||||||
Alerts: |
|
lasso: certificate verification bypass
Package(s): | lasso | CVE #(s): | CVE-2009-0050 | ||||
Created: | January 12, 2009 | Updated: | January 14, 2009 | ||||
Description: | From the CVE entry: Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | ||||||
Alerts: |
|
mplayer: arbitrary code execution
Package(s): | MPlayer | CVE #(s): | CVE-2008-5616 | ||||||||||||||||
Created: | January 12, 2009 | Updated: | April 29, 2009 | ||||||||||||||||
Description: | From the Gentoo advisory: Tobias Klein reported a stack-based buffer overflow in the demux_open_vqf() function in libmpdemux/demux_vqf.c when processing malformed TwinVQ files (CVE-2008-5616). A remote attacker could entice a user to open a specially crafted STR, Real Media, or TwinVQ file to execute arbitrary code or cause a Denial of Service. | ||||||||||||||||||
Alerts: |
|
ntp: signature verification vulnerability
Package(s): | ntp | CVE #(s): | CVE-2009-0021 | ||||||||||||||||||||||||||||||||||||||||||||
Created: | January 9, 2009 | Updated: | April 10, 2009 | ||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Ubuntu advisory: It was discovered that NTP did not properly perform signature verification. A remote attacker could exploit this to bypass certificate validation via a malformed SSL/TLS signature. | ||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
online-bookmarks: multiple vulnerabilities
Package(s): | online-bookmarks | CVE #(s): | CVE-2004-2155 CVE-2006-6358 CVE-2006-6359 | ||||
Created: | January 13, 2009 | Updated: | January 14, 2009 | ||||
Description: | From the Gentoo advisory: The following vulnerabilities were reported:
* Authentication bypass when directly requesting certain pages (CVE-2004-2155). * Insufficient input validation in the login function in auth.inc (CVE-2006-6358). * Unspecified cross-site scripting vulnerability (CVE-2006-6359). A remote attacker could exploit these vulnerabilities to bypass authentication mechanisms, execute arbitrary SQL statements or inject arbitrary web scripts. | ||||||
Alerts: |
|
pam_mount: insecure tmp file usage
Package(s): | pam_mount | CVE #(s): | CVE-2008-5138 | ||||||||
Created: | January 12, 2009 | Updated: | March 2, 2009 | ||||||||
Description: | From the Mandriva advisory: passwdehd script in pam_mount would allow local users to overwrite arbitrary files via a symlink attack on a temporary file. | ||||||||||
Alerts: |
|
pdnsb: denial of service
Package(s): | pdnsd | CVE #(s): | CVE-2008-4194 | ||||
Created: | January 12, 2009 | Updated: | January 14, 2009 | ||||
Description: | From the Gentoo advisory: The p_exec_query() function in src/dns_query.c does not properly handle many entries in the answer section of a DNS reply, related to a "dangling pointer bug" (CVE-2008-4194). [This] can be exploited by enticing pdnsd to send a query to a malicious DNS server, or using the port randomization weakness, and might lead to a Denial of Service. | ||||||
Alerts: |
|
python: multiple vulnerabilities
Package(s): | python | CVE #(s): | CVE-2008-4864 CVE-2008-5031 | ||||||||||||||||||||||||||||||||||||||||
Created: | January 12, 2009 | Updated: | July 30, 2009 | ||||||||||||||||||||||||||||||||||||||||
Description: | From the Mandriva advisory: Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864) Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031) | ||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
qemu: password guessing
Package(s): | qemu | CVE #(s): | CVE-2008-5714 | ||||||||||||||||||||||||
Created: | January 14, 2009 | Updated: | October 13, 2009 | ||||||||||||||||||||||||
Description: | An off-by-one error in Qemu 0.9.1 makes password guessing attacks easier than they should be. | ||||||||||||||||||||||||||
Alerts: |
|
Streamripper: multiple vulnerabilities
Package(s): | streamripper | CVE #(s): | CVE-2008-4829 | ||||
Created: | January 12, 2009 | Updated: | January 14, 2009 | ||||
Description: | From the Gentoo advisory: Stefan Cornelius from Secunia Research reported multiple buffer overflows in the http_parse_sc_header(), http_get_pls() and http_get_m3u() functions in lib/http.c when parsing overly long HTTP headers, or pls and m3u playlists with overly long entries. A remote attacker could entice a user to connect to a malicious server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. | ||||||
Alerts: |
|
vinagre: arbitrary code execution
Package(s): | vinagre | CVE #(s): | CVE-2008-5660 | ||||||||
Created: | January 12, 2009 | Updated: | March 9, 2009 | ||||||||
Description: | From the SUSE advisory: A format string problem in vinagre potentially allowed malicious VNC servers to have a vinagre client that connects to the server execute arbitrary code. (CVE-2008-5660) | ||||||||||
Alerts: |
|
zaptel: arbitrary code execution
Package(s): | zaptel | CVE #(s): | CVE-2008-5396 CVE-2008-5744 | ||||
Created: | January 12, 2009 | Updated: | January 14, 2009 | ||||
Description: | From the Debian advisory: An array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (CVE-2008-5396). From the CVE-2008-5744 entry: Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check against the value of lc->sync. | ||||||
Alerts: |
|
Page editor: Jake Edge
Next page:
Kernel development>>