|
|
Subscribe / Log in / New account

Security

SSL certificates and MD5 collisions

By Jake Edge
January 14, 2009

There is a fair amount of confusion surrounding the recent research resulting in the ability to create bogus SSL certificates. The research combined a weakness in the certificate generation process with the ability to create MD5 hash collisions and generated a certificate that would be accepted by all browsers. That certificate could be used to sign other certificates, allowing the researchers to create a valid certificate purporting to be from any domain they chose.

Cryptographic hashes, like MD5, are used in digital signature algorithms; in effect it is the hash that is signed as a stand-in for the actual content. It has been known since 2004 that MD5 collisions—two different inputs generating the same hash value—could feasibly be found. So, a signature on data with a specific MD5 hash would be considered a valid signature on any other data that hashed to the same value. What the researchers did was to create a certificate that the certificate authority (CA), in this case RapidSSL, was willing to sign, then transferred that signature to a different certificate. That second certificate hashed to the same value, but had the ability to sign additional certificates.

This is a very significant attack on SSL that was addressed rather quickly. One wonders why these certificate authorities were still using MD5 long after it had been deprecated because of the collision vulnerability. Inertia is the likely culprit, but RapidSSL and other CAs using MD5 changed to SHA-1 within hours of the report in some cases. In addition, RapidSSL stopped using sequential serial numbers in certificates. That flaw helped the researchers immensely, so that they only needed four attempts (with a 200 node Playstation 3 cluster) to create their colliding certificate. A random serial number over a sizable range once again makes this attack infeasible—at least on today's hardware.

Eventually, MD5 will no longer be accepted as the hash used in the signatures on certificates—or anything else, probably—but as of now, SSL implementations will accept them. There are large numbers of such certificates in use today, so browsers cannot just stop accepting them. CAs are generally offering their customers free replacement certificates that use SHA-1. Because users rarely root through the certificates presented to their browser to determine what hash algorithm was used, there is a extension for Firefox called SSL Blacklist that detects these certificates and pops up a warning.

But, for those sites affected—LWN for example—it can be a bit worrying to hear from users that their certificate may be bad. The LWN certificate and countless others are really no more vulnerable to this attack than any other. A site that has an SHA-1 signature can be spoofed by this attack as easily as one with an MD5 signature. But a site that has an MD5 signed certificate does make it harder to switch away from MD5. That switch won't happen soon in any case, but it could be slowed down by sites that are slow to change.

If an attacker currently has a certificate of the type that the researchers created, they can use it to sign certificates for any domain they wish, and they can use SHA-1 in that signature. This particular vulnerability requires an MD5 signed certificate in the chain of certificates, but does not require that the final, domain-specific certificate be signed with MD5. It should also be noted that some of the root certificates distributed with browsers are MD5-signed. Those are not vulnerable because they are distributed with the browser—if an attacker can change one's root certificate stash, there are much easier attacks possible. For this reason, SSL Blacklist looks for MD5 signatures in the certificate chain anywhere after the root certificate.

This incident is a good illustration of how cryptographic research often proceeds. First, small cracks are found in an algorithm, causing some worry in cryptographic circles, then partial attacks are found, which generally starts to raise the alarm in the wider security community. But it usually takes a full-scale attack or proof-of-concept to really cause those who use the algorithms, knowingly or unknowingly, to take remedial action. That delay provides a nice window that attackers can and will exploit.

Comments (19 posted)

New vulnerabilities

bind: validation bypass

Package(s):Bind CVE #(s):CVE-2009-0025
Created:January 9, 2009 Updated:July 30, 2009
Description: From the Red Hat advisory: A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks.
Alerts:
Fedora FEDORA-2009-8119 bind 2009-07-30
Gentoo 200903-14 bind 2009-03-09
Mandriva MDVSA-2009:037 bind 2008-02-16
CentOS CESA-2009:0020 Bind 2009-01-09
Fedora FEDORA-2009-0451 bind 2009-01-14
Ubuntu USN-706-1 bind9 2009-01-09
rPath rPSA-2009-0009-1 bind 2009-01-20
Fedora FEDORA-2009-0350 bind 2009-01-14
Debian DSA-1703-1 bind9 2009-01-12
Mandriva MDVSA-2009:002 bind 2009-01-09
SuSE SUSE-SA:2009:005 bind 2009-01-22
Slackware SSA:2009-014-02 bind 2009-01-15
Red Hat RHSA-2009:0020-01 Bind 2009-01-08

Comments (none posted)

cups: insecure tmp file usage

Package(s):cups, cupsys CVE #(s):CVE-2008-5377
Created:January 12, 2009 Updated:January 14, 2009
Description:

From the Ubuntu advisory:

It was discovered that the example pstopdf CUPS filter created log files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program.

Alerts:
Ubuntu USN-707-1 cups, cupsys 2009-01-12

Comments (none posted)

gforge: insufficient input sanitizing

Package(s):gforge CVE #(s):CVE-2008-2381
Created:January 9, 2009 Updated:January 14, 2009
Description: From the Debian advisory: It was discovered that GForge, a collaborative development tool, insufficiently sanitizes some input allowing a remote attacker to perform SQL injection.
Alerts:
Debian DSA-1698-1 gforge 2009-01-09

Comments (none posted)

git: arbitrary code execution

Package(s):git CVE #(s):CVE-2008-5517
Created:January 12, 2009 Updated:March 9, 2009
Description:

From the SUSE advisory:

Insufficient quoting of shell characters allowed remote attackers to execute arbitrary commands via the git web interface (CVE-2008-5517)

Alerts:
Gentoo 200903-15 git 2009-03-09
Slackware SSA:2009-051-02 git 2009-02-23
Ubuntu USN-723-1 git-core 2009-02-18
Debian DSA-1708-1 git-core 2009-01-19
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12
rPath rPSA-2009-0005-1 git 2009-01-13

Comments (2 posted)

hplip: privilege escalation

Package(s):hplip CVE #(s):
Created:January 14, 2009 Updated:January 16, 2009
Description: The hplip installation script was caught in the act of modifying permissions on files in users' home directories. This behavior could be exploited by a local user to change permissions on arbitrary files.
Alerts:
Ubuntu USN-708-1 hplip 2009-01-13

Comments (1 posted)

imap: denial of service

Package(s):imap CVE #(s):CVE-2008-5514
Created:January 12, 2009 Updated:January 6, 2010
Description:

From the SUSE advisory:

Insufficient buffer length checks in the imap client library may crash applications that use the library to print formatted email addresses. The imap daemon itself is not affected but certain versions of e.g. the php imap module are (CVE-2008-5514).

Alerts:
Gentoo 201001-03 php 2010-01-05
Mandriva MDVSA-2009:146-1 imap 2009-12-28
Gentoo 200911-03 uw-imap, c-client 2009-11-25
Mandriva MDVSA-2009:166 c-client 2009-07-28
Mandriva MDVSA-2009:146 imap 2009-06-29
Fedora FEDORA-2009-0413 uw-imap 2009-01-14
Fedora FEDORA-2009-0371 uw-imap 2009-01-14
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12

Comments (none posted)

java: multiple vulnerabilities

Package(s):Java CVE #(s):CVE-2008-5339 CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5355
Created:January 9, 2009 Updated:November 18, 2009
Description: Numerous security issues such as privilege escalations, and sandbox breakouts were found in Sun's Java package.
Alerts:
Gentoo 200911-02 sun-jre-bin 2009-11-17
SuSE SUSE-SR:2009:010 firefox apport evolution freetype2 java_1_4_2-ibm kdegraphics3 libopenssl libsoup xulrunner opensc python-crypto unbound xpdf 2009-05-12
SuSE SUSE-SA:2009:018 java 2009-04-07
Red Hat RHSA-2009:0369-01 java-1.6.0-ibm 2009-03-25
Red Hat RHSA-2009:0445-01 java-1.4.2-ibm 2009-04-23
SuSE SUSE-SA:2009:007 IBMJava5-JRE,java-1_5_0-ibm 2009-01-29
Red Hat RHSA-2009:0015-01 java-1.6.0-ibm 2009-01-13
Red Hat RHSA-2009:0016-01 java-1.5.0-ibm 2009-01-13
SuSE SUSE-SA:2009:001 SunJava 2009-01-09

Comments (none posted)

jhead: multiple vulnerabilities

Package(s):jhead CVE #(s):CVE-2008-4639 CVE-2008-4640 CVE-2008-4641
Created:January 12, 2009 Updated:March 5, 2009
Description:

From the Gentoo advisory:

* An insecure creation of a temporary file (CVE-2008-4639).

* A error when unlinking a file (CVE-2008-4640).

* Insufficient escaping of shell metacharacters (CVE-2008-4641).

A remote attacker could possibly execute arbitrary code by enticing a user or automated system to open a file with a long filename or via unspecified vectors. It is also possible to trick a user into deleting or overwriting files.

Alerts:
Fedora FEDORA-2009-1824 jhead 2009-02-17
Fedora FEDORA-2009-1776 jhead 2009-02-17
Mandriva MDVSA-2009:041 jhead 2009-02-17
Gentoo 200901-02 jhead 2009-01-11
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12

Comments (none posted)

lasso: certificate verification bypass

Package(s):lasso CVE #(s):CVE-2009-0050
Created:January 12, 2009 Updated:January 14, 2009
Description:

From the CVE entry:

Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

Alerts:
Debian DSA-1700-1 lasso 2009-01-11

Comments (none posted)

mplayer: arbitrary code execution

Package(s):MPlayer CVE #(s):CVE-2008-5616
Created:January 12, 2009 Updated:April 29, 2009
Description:

From the Gentoo advisory:

Tobias Klein reported a stack-based buffer overflow in the demux_open_vqf() function in libmpdemux/demux_vqf.c when processing malformed TwinVQ files (CVE-2008-5616).

A remote attacker could entice a user to open a specially crafted STR, Real Media, or TwinVQ file to execute arbitrary code or cause a Denial of Service.

Alerts:
Debian DSA-1782-1 mplayer 2009-04-29
Gentoo 200901-07:02 MPlayer 2009-01-12
Mandriva MDVSA-2009:014 mplayer 2008-01-15
Mandriva MDVSA-2009:013 mplayer 2008-01-15

Comments (none posted)

ntp: signature verification vulnerability

Package(s):ntp CVE #(s):CVE-2009-0021
Created:January 9, 2009 Updated:April 10, 2009
Description: From the Ubuntu advisory: It was discovered that NTP did not properly perform signature verification. A remote attacker could exploit this to bypass certificate validation via a malformed SSL/TLS signature.
Alerts:
CentOS CESA-2009:0046 ntp 2009-04-09
Gentoo 200904-05 ntp 2009-04-05
SuSE SUSE-SR:2009:005 dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, gstreamer-0_10-plugins-good 2009-03-02
Slackware SSA:2009-014-03 ntp 2009-01-15
Red Hat RHSA-2009:0046-01 ntp 2009-01-29
rPath rPSA-2009-0010-1 ntp 2009-01-20
Debian DSA-1702-1 ntp 2009-01-12
Ubuntu USN-705-1 ntp 2009-01-08
Mandriva MDVSA-2009:007 ntp 2009-01-13
Fedora FEDORA-2009-0544 ntp 2009-01-14
Fedora FEDORA-2009-0547 ntp 2009-01-14

Comments (none posted)

online-bookmarks: multiple vulnerabilities

Package(s):online-bookmarks CVE #(s):CVE-2004-2155 CVE-2006-6358 CVE-2006-6359
Created:January 13, 2009 Updated:January 14, 2009
Description: From the Gentoo advisory: The following vulnerabilities were reported:

* Authentication bypass when directly requesting certain pages (CVE-2004-2155).

* Insufficient input validation in the login function in auth.inc (CVE-2006-6358).

* Unspecified cross-site scripting vulnerability (CVE-2006-6359).

A remote attacker could exploit these vulnerabilities to bypass authentication mechanisms, execute arbitrary SQL statements or inject arbitrary web scripts.

Alerts:
Gentoo 200901-08 online-bookmarks 2009-01-12

Comments (none posted)

pam_mount: insecure tmp file usage

Package(s):pam_mount CVE #(s):CVE-2008-5138
Created:January 12, 2009 Updated:March 2, 2009
Description:

From the Mandriva advisory:

passwdehd script in pam_mount would allow local users to overwrite arbitrary files via a symlink attack on a temporary file.

Alerts:
SuSE SUSE-SR:2009:005 dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, gstreamer-0_10-plugins-good 2009-03-02
Mandriva MDVSA-2009:004 pam_mount 2009-01-09

Comments (none posted)

pdnsb: denial of service

Package(s):pdnsd CVE #(s):CVE-2008-4194
Created:January 12, 2009 Updated:January 14, 2009
Description:

From the Gentoo advisory:

The p_exec_query() function in src/dns_query.c does not properly handle many entries in the answer section of a DNS reply, related to a "dangling pointer bug" (CVE-2008-4194).

[This] can be exploited by enticing pdnsd to send a query to a malicious DNS server, or using the port randomization weakness, and might lead to a Denial of Service.

Alerts:
Gentoo 200901-03 pdnsd 2009-01-11

Comments (none posted)

python: multiple vulnerabilities

Package(s):python CVE #(s):CVE-2008-4864 CVE-2008-5031
Created:January 12, 2009 Updated:July 30, 2009
Description:

From the Mandriva advisory:

Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864)

Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031)

Alerts:
CentOS CESA-2009:1176 python 2009-07-29
CentOS CESA-2009:1178 python 2009-07-27
Red Hat RHSA-2009:1176-01 python 2009-07-27
Red Hat RHSA-2009:1177-01 python 2009-07-27
Red Hat RHSA-2009:1178-02 python 2009-07-27
Ubuntu USN-806-1 python2.4, python2.5 2009-07-23
Gentoo 200907-16 python 2009-07-19
Mandriva MDVSA-2009:036 python 2009-02-12
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12
Mandriva MDVSA-2009:003 python 2009-01-09

Comments (none posted)

qemu: password guessing

Package(s):qemu CVE #(s):CVE-2008-5714
Created:January 14, 2009 Updated:October 13, 2009
Description: An off-by-one error in Qemu 0.9.1 makes password guessing attacks easier than they should be.
Alerts:
Debian DSA-1907-1 kvm 2009-10-13
Ubuntu USN-776-2 USN-776-1 fixed 2009-05-13
Ubuntu USN-776-1 kvm 2009-05-12
Mandriva MDVSA-2009:009 kvm 2009-01-14
Mandriva MDVSA-2009:008 qemu 2009-01-14
SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19

Comments (none posted)

Streamripper: multiple vulnerabilities

Package(s):streamripper CVE #(s):CVE-2008-4829
Created:January 12, 2009 Updated:January 14, 2009
Description:

From the Gentoo advisory:

Stefan Cornelius from Secunia Research reported multiple buffer overflows in the http_parse_sc_header(), http_get_pls() and http_get_m3u() functions in lib/http.c when parsing overly long HTTP headers, or pls and m3u playlists with overly long entries.

A remote attacker could entice a user to connect to a malicious server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.

Alerts:
Gentoo 200901-05 streamripper 2009-01-11

Comments (none posted)

vinagre: arbitrary code execution

Package(s):vinagre CVE #(s):CVE-2008-5660
Created:January 12, 2009 Updated:March 9, 2009
Description:

From the SUSE advisory:

A format string problem in vinagre potentially allowed malicious VNC servers to have a vinagre client that connects to the server execute arbitrary code. (CVE-2008-5660)

Alerts:
Gentoo 200903-01 vinagre 2009-03-06
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12

Comments (none posted)

zaptel: arbitrary code execution

Package(s):zaptel CVE #(s):CVE-2008-5396 CVE-2008-5744
Created:January 12, 2009 Updated:January 14, 2009
Description:

From the Debian advisory:

An array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (CVE-2008-5396).

From the CVE-2008-5744 entry:

Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check against the value of lc->sync.

Alerts:
Debian DSA-1699-1 zaptel 2009-01-11

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds