Security
Crying wolf over OpenSSH
In the security world, there is always tension between under and over-reporting on vulnerabilities. Not only between the "full" and "responsible" disclosure camps, but also for those trying to make sure that users are aware of the most recent attacks. Sometimes, that can lead to reports that eventually turn out to be incomplete, overstated, or flat out wrong. There is value even in incorrect reports, though; at a minimum they can raise the profile of the most vulnerable of services—reminding administrators to update and/or reconfigure the affected program—which may reduce the impact of the next exploit.
For many reasons, ssh vulnerabilities—or purported vulnerabilities—are treated differently than others. If this had been a report of yet another content management system cross-site scripting flaw or wireshark dissector bug, it would not have gotten much, if any, notice. But, ssh is one service that is turned on for nearly every server on the internet. Without ssh, many administrators couldn't access the server to handle important tasks—security updates for example.
In addition, many internet servers have just a few, trusted users, which may—unfortunately—make their administrators rather sanguine about patching for local privilege escalation flaws. That makes a way to subvert ssh and get that local access suddenly a much more dangerous flaw. In addition, many administrators allow root to log in remotely, so an ssh vulnerability might lead to root privileges without needing an additional privilege escalation flaw.
It is safe to say that exploitable ssh vulnerabilities are very high on the list of things that keep system administrators up at night. So that makes it rather easy to stir up a firestorm of publicity by reporting one. The Internet Storm Center (ISC) was one of the first to report on the rumored OpenSSH vulnerability (which we also passed along). The whole thing got started with a post to the full-disclosure mailing list that purported to show an ssh "zero-day" exploit compromising a server in New Zealand.
It wasn't very long before folks realized that it was likely the result of a "brute force" attack against a user password, but there was enough "chatter" of various sorts (see the updates on the ISC post) that it was difficult to be sure. In the end, we still aren't completely sure, but OpenSSH developer Damien Miller posted his belief that there was no ssh zero-day; ISC also posted a notice calling the vulnerability reports bogus. In the absence of any more information, those would seem to close the book on this vulnerability.
While it was a bit of a fire drill, it is likely that the reports led to some system administrators taking a look at their ssh installation to make sure it was up-to-date. They may also have tightened up their configuration in ways that might lessen the chances of a vulnerability affecting their systems. Disallowing root logins, requiring key-based instead of password-based logins, or restricting ssh access to certain IP addresses are all steps that administrators may have taken. Perhaps it was needless in this case, but a general tightening up of ssh configuration is likely to be helpful in fending off brute-force or other attacks down the road.
Brief items
DHCP server can take over client (The H)
The H warns of a DHCP client vulnerability which allows a hostile server to take over the system. "According to Marcus Meissner from SUSE, the vulnerability doesn't affect Red Hat and SUSE because their source code includes the FORTIFY_SOURCE feature. With it, the GNU Compiler Collection (GCC) knows how large the buffer is, including the maximum size. The glibc gets the buffer size information and uses a version of strcpy() that checks and makes sure that no more than 20 bytes are copied. If the buffer is greater, then the program is aborted."
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2009-1492 CVE-2009-1493 | ||||
| Created: | July 13, 2009 | Updated: | July 15, 2009 | ||||
| Description: | From the Gentoo advisory: Arr1val reported that multiple methods in the JavaScript API might lead to memory corruption when called with crafted arguments (CVE-2009-1492, CVE-2009-1493). | ||||||
| Alerts: |
| ||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2009-1890 CVE-2009-1891 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 9, 2009 | Updated: | December 7, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Apache has two denial of service vulnerabilities. From the Mandriva alert: The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests (CVE-2009-1890). Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects (CVE-2009-1891). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
camlimages: integer overflow
| Package(s): | camlimages | CVE #(s): | CVE-2009-2295 | ||||||||||||||||||||
| Created: | July 14, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||
| Description: | From the Debian advisory: Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
dbus: policy bypass
| Package(s): | dbus | CVE #(s): | CVE-2009-1189 | ||||||||||||||||||||||||||||
| Created: | July 14, 2009 | Updated: | May 3, 2011 | ||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that the D-Bus library did not correctly validate signatures. If a local user sent a specially crafted D-Bus key, they could spoof a valid signature and bypass security policies. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
dhcp: arbitrary code execution
| Package(s): | dhcp3 | CVE #(s): | CVE-2009-0692 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2009 | Updated: | January 27, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: The Mandriva Linux Engineering Team discovered a stack-based buffer overflow flaw in the ISC DHCP client. If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root). (CVE-2009-0692) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dhcp: arbitrary file overwrite
| Package(s): | dhcp | CVE #(s): | CVE-2009-1893 | ||||||||
| Created: | July 15, 2009 | Updated: | July 16, 2009 | ||||||||
| Description: | From the Red Hat advisory: An insecure temporary file use flaw was discovered in the DHCP daemon's init script ("/etc/init.d/dhcpd"). A local attacker could use this flaw to overwrite an arbitrary file with the output of the "dhcpd -t" command via a symbolic link attack, if a system administrator executed the DHCP init script with the "configtest", "restart", or "reload" option. (CVE-2009-1893) | ||||||||||
| Alerts: |
| ||||||||||
dhcp: denial of service
| Package(s): | dhcp3 | CVE #(s): | CVE-2009-1892 | ||||||||||||||||||||||||||||
| Created: | July 15, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using "dhcp-client-identifier" and "hardware ethernet". This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
djbdns: unconstrained offsets
| Package(s): | djbdns | CVE #(s): | CVE-2009-0858 | ||||
| Created: | July 14, 2009 | Updated: | July 15, 2009 | ||||
| Description: | From the Debian advisory: Matthew Dempsky discovered that Daniel J. Bernstein's djbdns, a Domain Name System server, does not constrain offsets in the required manner, which allows remote attackers with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain. | ||||||
| Alerts: |
| ||||||
libtiff: arbitrary code execution
| Package(s): | tiff | CVE #(s): | CVE-2009-2347 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2009 | Updated: | March 8, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Tielei Wang and Tom Lane discovered that the TIFF library did not correctly handle certain malformed TIFF images. If a user or automated system were tricked into processing a malicious image, an attacker could execute arbitrary code with the privileges of the user invoking the program. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mumbles: unsafe shell usage
| Package(s): | mumbles | CVE #(s): | |||||
| Created: | July 13, 2009 | Updated: | July 15, 2009 | ||||
| Description: | From the Red Hat bugzilla entry:
The Firefox plugin uses os.system in an insecure fashion. Version-Release number of selected component (if applicable): mumbles-0.4-1.fc10
def open_uri(self, uri):
mime_type = gnomevfs.get_mime_type(uri)
application = gnomevfs.mime_get_default_application(mime_type)
os.system(application[2] + ' "' + uri + '" &')
This would be much better written to use the subprocess module and use an argument list like [application[2], uri], or else by using the shell's own substitution mechanism like this: os.environ['URI'] = uri os.system(application[2] + ' "$URI" &') | ||||||
| Alerts: |
| ||||||
sork-passwd-h3: cross-site scripting
| Package(s): | sork-passwd-h3 | CVE #(s): | CVE-2009-2360 | ||||||||||||
| Created: | July 13, 2009 | Updated: | September 14, 2009 | ||||||||||||
| Description: | From the Debian advisory: It was discovered that sork-passwd-h3, a Horde3 module for users to change their password, is prone to a cross-site scripting attack via the backend parameter. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>