Security
Linux botnets
It will come as no surprise to long-time readers of this page (or others who have followed embedded device security), but recent reports of the "first Linux botnet" are making the subject of router/modem security more visible to the general public. As we have reported previously, embedded, network-facing devices make tempting targets. It appears that a botnet herder noticed that and is trying to take advantage of Linux-based devices.
Perhaps the most surprising part about the attack is the simplicity of the vulnerability it is exploiting. As far as anyone has found "psyb0t", as the botnet is known, just brute forces username/password pairs over telnet, ssh, or http. The earliest research [PDF] of the botnet was from January; at that time it was only known to be exploiting a particular ADSL modem (Netcomm NB5) that, at one time, had non-existent authorization on its WAN-facing administrative web interface.
More recently, DroneBL found more infected routers when investigating a distributed denial of service (DDOS) against its servers. The botnet is targeting Linux devices using the mipsel (MIPS little-endian) architecture, which includes many Linux-based home routers. OpenWRT, DD-WRT, and other projects all provide Linux-mipsel firmware for a variety of potentially vulnerable devices.
Once the infecting program gets access to the device, it downloads the botnet code and disables access to the device via telnet, ssh, or http.
While its method of getting access is simple, the botnet code itself is very capable. It connects to a command and control IRC channel (#mipsel) on a particular host under the control of the botnet herder. Commands on that channel can order the botnet nodes to do various denial of service attacks, scan for vulnerable MySQL and phpMyAdmin sites and subvert them, port scan particular hosts, update the botnet code, and more. The IRC channel has shut down with a message indicating that psyb0t was strictly a research project by someone known as DRS. The message also claimed that no DDOS or phishing was done and that the botnet reached 80,000 nodes.
While it may well be that the danger of this particular threat has passed, the more general issue of router, especially home router, security persists. A fully capable, always-on Linux device is a very attractive target for botnet herders or other types of attackers. Trying to put together a botnet of Linux desktops and servers might be a much more difficult task as there is a much wider diversity of distributions and kernel versions, as well as different architectures and configurations. To a great extent, the Linux-based home router landscape is much more homogeneous, as psyb0t has shown.
Clearly default and/or weak passwords are a serious problem—not just for Linux-based devices—but it would not be surprising to find that other vulnerabilities (such as authentication bypass) are available on many of these devices. Unlike a simple password change, those kinds of flaws require an update to the router firmware, which, in turn, requires users to know about the problem and understand where to get—and how to apply—the code to fix it. This is certainly a problem we have not seen the last of.
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2008-4437 CVE-2008-6098 CVE-2009-0481 CVE-2009-0483 CVE-2009-0484 CVE-2009-0485 CVE-2009-0486 CVE-2009-0482 | ||||||||||||
| Created: | March 19, 2009 | Updated: | June 4, 2010 | ||||||||||||
| Description: | Bugzilla has a number of vulnerabilities. From the Fedora alerts:
Directory traversal vulnerability in importxml.pl in Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path is enabled, allows remote attackers to read arbitrary files via an XML file with a .. (dot dot) in the data element. (CVE-2008-4437) Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve." (CVE-2008-6098) Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote authenticated users to conduct cross-site scripting (XSS) and related attacks by uploading HTML and JavaScript attachments that are rendered by web browsers. (CVE-2009-0481) Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 before 3.2.1, 3.3 before 3.3.2, and other versions before 3.2 allows remote attackers to perform bug updating activities as other users via a link or IMG tag to process_bug.cgi. (CVE-2009-0482) Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete keywords and user preferences via a link or IMG tag to (1) editkeywords.cgi or (2) userprefs.cgi. (CVE-2009-0483) Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete shared or saved searches via a link or IMG tag to buglist.cgi. (CVE-2009-0484) Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3.3 before 3.3.2 allows remote attackers to delete unused flag types via a link or IMG tag to editflagtypes.cgi. (CVE-2009-0485) Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls the srand function at startup time, which causes Apache children to have the same seed and produce insufficiently random numbers for random tokens, which allows remote attackers to bypass cross-site request forgery (CSRF) protection mechanisms and conduct unauthorized activities as other users. (CVE-2009-0486) | ||||||||||||||
| Alerts: |
| ||||||||||||||
compiz-fusion: screen lock bypass
| Package(s): | compiz-fusion | CVE #(s): | CVE-2008-6514 | ||||||||||||||||
| Created: | March 25, 2009 | Updated: | March 30, 2010 | ||||||||||||||||
| Description: | Compiz-fusion allows local users to simply drag the screen saver out of the way, thus bypassing any associated screen lock. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
drupal-cck: cross-site scripting
| Package(s): | drupal-cck | CVE #(s): | |||||||||
| Created: | March 23, 2009 | Updated: | March 25, 2009 | ||||||||
| Description: | From the Drupal advisory: The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access. | ||||||||||
| Alerts: |
| ||||||||||
ejabberd: cross-site scripting vulnerability
| Package(s): | ejabberd | CVE #(s): | CVE-2009-0934 | ||||||||||||
| Created: | March 19, 2009 | Updated: | April 17, 2009 | ||||||||||||
| Description: | ejabberd has a cross-site scripting vulnerability.
From the Fedora alert:
Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to links and MUC logs. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ffmpeg: unspecified vulnerabilities
| Package(s): | ffmpeg | CVE #(s): | CVE-2008-4868 CVE-2008-4869 | ||||||||||||
| Created: | March 20, 2009 | Updated: | December 7, 2009 | ||||||||||||
| Description: | From the CVE entries:
Unspecified vulnerability in the avcodec_close function in libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer, has unknown impact and attack vectors, related to a free "on random pointers." FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers to cause a denial of service (memory consumption) via unknown vectors, aka a "Tcp/udp memory leak." | ||||||||||||||
| Alerts: |
| ||||||||||||||
ghostscript: integer overflows
| Package(s): | ghostscript | CVE #(s): | CVE-2009-0583 CVE-2009-0584 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 19, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Ghostscript has several integer overflow vulnerabilities.
From the Red Hat alert:
Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images which could cause Ghostscript to crash, or, potentially, execute arbitrary code when opened by the victim. (CVE-2009-0583, CVE-2009-0584) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
jasper: insecure temp files
| Package(s): | jasper | CVE #(s): | CVE-2008-3521 | ||||||||||||||||||||
| Created: | March 20, 2009 | Updated: | April 19, 2010 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that JasPer created temporary files in an insecure way. Local users could exploit a race condition and cause a denial of service in libjasper applications. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
kernel: multiple ext4 denial of service vulnerabilities
| Package(s): | linux-2.6 | CVE #(s): | CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748 | ||||||||||||||||||||
| Created: | March 23, 2009 | Updated: | September 16, 2009 | ||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2009-0745: Peter Kerwien discovered an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) during a resize operation. CVE-2009-0746: Sami Liedes reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when accessing a specially crafted corrupt filesystem. CVE-2009-0747: David Maciejak reported an issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem. CVE-2009-0748: David Maciejak reported an additional issue in the ext4 filesystem that allows local users to cause a denial of service (kernel oops) when mounting a specially crafted corrupt filesystem. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
lcms: multiple vulnerabilities
| Package(s): | lcms | CVE #(s): | CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 19, 2009 | Updated: | December 3, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | lcms has three vulnerabilities.
From the Red Hat alert:
Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened by a victim. (CVE-2009-0723, CVE-2009-0733) A memory leak flaw was found in LittleCMS. An application using LittleCMS could use excessive amount of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libvirt: privilege escalation
| Package(s): | libvirt | CVE #(s): | CVE-2009-0036 | ||||
| Created: | March 19, 2009 | Updated: | March 25, 2009 | ||||
| Description: | libvirt has a privilege escalation vulnerability.
From the Red hat alert:
libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036) | ||||||
| Alerts: |
| ||||||
muttprint: insecure temporary files
| Package(s): | muttprint | CVE #(s): | CVE-2008-5368 | ||||
| Created: | March 24, 2009 | Updated: | March 25, 2009 | ||||
| Description: | From the Gentoo advisory: Dmitry E. Oboukhov reported an insecure usage of the temporary file "/tmp/muttprint.log" in the muttprint script. A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
opensc: insufficient access restrictions
| Package(s): | opensc | CVE #(s): | CVE-2009-0368 | ||||||||||||||||
| Created: | March 19, 2009 | Updated: | June 1, 2009 | ||||||||||||||||
| Description: | opensc has a vulnerability involving insufficient access restrictions
on private data.
From the Red Hat alert:
OpenSC stores private data without proper access restrictions. User "b.badrignans" reported this security problem on December 4th, 2008. In June 2007 support form private data objects was added to OpenSC. Only later a severe security bug was found out: while the OpenSC PKCS#11 implementation requires PIN verification to access the data, low level APDU commands or debugging tools like opensc-explorer or opensc-tool can access the private data without any authentication. This was fixed in OpenSC 0.11.7. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
pam: denial of service, possible privilege escalation
| Package(s): | pam | CVE #(s): | CVE-2009-0887 | ||||||||||||||||||||||||
| Created: | March 23, 2009 | Updated: | May 31, 2011 | ||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt (CVE-2009-0887). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
postgresql: denial of service
| Package(s): | postgresql | CVE #(s): | CVE-2009-0922 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 23, 2009 | Updated: | November 2, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla: A stack overflow was found in how PostgreSQL handles conversion encoding. This could allow an authenticated user to kill connections to the PostgreSQL server for a small amount of time, which could interrupt transactions by other users/clients. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey | CVE #(s): | |||||
| Created: | March 25, 2009 | Updated: | April 14, 2009 | ||||
| Description: | Seamonkey 1.1.15 contains fixes for a number of security issues. | ||||||
| Alerts: |
| ||||||
thunderbird: multiple vulnerabilities
| Package(s): | thunderbird | CVE #(s): | |||||
| Created: | March 25, 2009 | Updated: | March 25, 2009 | ||||
| Description: | A number of security issues, generally involving memory corruption, have been fixed in the thunderbird 2.0.0.21 release. | ||||||
| Alerts: |
| ||||||
webcit: format string vulnerability
| Package(s): | webcit | CVE #(s): | CVE-2009-0364 | ||||
| Created: | March 24, 2009 | Updated: | March 25, 2009 | ||||
| Description: | From the Debian advisory: Wilfried Goesgens discovered that WebCit, the web-based user interface for the Citadel groupware system, contains a format string vulnerability in the mini_calendar component, possibly allowing arbitrary code execution. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>