Security
SSL flaws revealed at Black Hat
The annual Black Hat security conference in Las Vegas is probably the premier security event each year—at least for the disclosure of new vulnerabilities. The event usually has one or more high-profile disclosures that often lead to software vendors and projects scrambling to fix the vulnerable code. This year was no exception, with Secure Sockets Layer (SSL) taking center stage. Two of the vulnerabilities led to Mozilla security updates, while others showed flaws in the certificate authority (CA) infrastructure and browser handling of Extended Validation (EV) SSL certificates.
The most serious problem would seem to be a disconnect between CAs and browsers on how to handle certificates with NUL (i.e. '\0') bytes in the domain name. CAs have been willing to issue certificates for host/domain names containing NULs, but browsers were handling them in ways that made certificate spoofing much easier. Moxie Marlinspike and Dan Kaminsky independently discovered the problem and both presented about it at Black Hat. Marlinspike's example was a certificate issued for www.paypal.com\0.thoughtcrime.org, which would appear to be a legitimate PayPal certificate to the browser user.
It has been argued that the CAs should not be issuing certificates of that sort, especially given that C-based programs interpret NUL as the end of string, but the browsers have a certain amount of responsibility here as well. It's hard to see a legitimate use for a certificate with a NUL byte as part of the domain name, but browsers could and should have used the string length, which is specified in the certificate to determine how to display and handle the domain name. The CAs should also stop signing such certificates, and revoke those that they have already issued, but that, of course, doesn't stop anyone from self-signing a certificate with a NUL byte in the domain name.
The flaw could be exploited to do a man-in-the-middle attack against users. An attacker who could intercept network traffic—via a compromised, or just maliciously configured, wireless router for example—could present one of these certificates when a victim visited PayPal. Because the browser only looked at the host name information before the NUL, the user would believe they had a secure session with PayPal, when, in fact, they were talking to a host under the attacker's control.
Marlinspike found another problem, which only seems to have affected the Firefox 3.0 series, in how wildcards were handled in the host names presented in certificates. Wildcard certificates are meant to solve the problem of multiple hosts in a given domain that need to share certificates. So, a CA could sign a single certificate that would work for webhost00.example.com through webhost99.example.com. Firefox 3.0 and earlier supported a non-standard Netscape regular expression syntax which Marlinspike found a way to exploit.
That exploit would cause a heap overflow that could allow arbitrary code
execution—another particularly nasty outcome. According to the
Mozilla advisory: "With version 3.5 Firefox switched to the more
limited industry-standard wildcard syntax instead and is not vulnerable to
this flaw.
"
Kaminsky's talk also covered a number of other issues with SSL certificate handling. Red Hat's director of security response Mark Cox summarized those problems along with their impact on various free software packages. For the most part, they had much less impact than the NUL-byte spoofing attack, which Cox notes as having been fixed in April for Firefox 3.5 in RHEL.
Another presentation on SSL came from Alexander Sotirov and Mike Zusman. They showed that EV certificates can be replaced with valid, conventional (aka Domain Validated or DV) certificates without changing the browsers display to reflect the potentially reduced security. Browsers display sites using EV certificates in green in the address bar to denote the supposed higher security. By using a man-in-the-middle attack, and a valid DV certificate for the domain, they were able to send the second certificate, which caused the browser to switch encryption keys to that contained in the DV certificate. So the session was secured with the "lesser" DV certificate, which the attacker controlled, but still showed the green address bar.
Zusman also gave a presentation at DefCon (which follows Black Hat) on the reliability of the web applications that CAs use for handling certificate requests. As might be guessed, they turn out to be vulnerable to the usual web application suspects: cross-site scripting and SQL injection, but he found additional problems as well. He was able to circumvent the domain name validation used by some CAs so that he could get certificates for domains that he did not control.
It is rather worrisome that the CAs, who are supposedly guarding the safety
of web traffic, are so lax about the security of their own applications.
As Zusman noted in the article: "If you can game a CA's validation
mechanism, they don't
get hurt — they might even make some money. [Those] who suffer are those
who use the Internet.
"
SSL is an important part of the web infrastructure that users must rely on daily to protect their communications with sensitive sites. It is not surprising that it would be targeted by security researchers, nor is it all that surprising that problems were found. While attacks against these specific problems may be difficult to pull off in practice, they represent holes that clearly need to be filled. If security researchers are finding these kinds of problems, it's pretty likely that attackers are finding them as well—but the attackers are much less likely to tell us about it at Black Hat.
Brief items
SquirrelMail plugins compromised
The SquirrelMail team has sent out a notice saying that three plugins (sasql, multilogin, and change_pass) were compromised on the project's server. "Parts of these code changes attempts to send mail to an offsite server containing passwords. We cannot establish a timeline of when these plugins were compromised. If you are a user of these plugins, it is strongly recommended you download a fresh copy from the plugins repository." Changing passwords and looking for intrusions might also be a good idea.
New vulnerabilities
django: file request forgery
| Package(s): | django | CVE #(s): | |||||||||
| Created: | August 4, 2009 | Updated: | August 5, 2009 | ||||||||
| Description: | From the Django security advisory: Django includes a lightweight, WSGI-based web server for use in learning Django and in testing new applications during early stages of development. For sake of convenience, this web server automatically maps certain URLs corresponding to the static media files used by the Django administrative application. The handler which maps these URLs did not properly check the requested URL to verify that it corresponds to a static media file used by Django. As such, a carefully-crafted URL can cause the development server to serve any file to which it has read access. | ||||||||||
| Alerts: |
| ||||||||||
drupal-date: cross site scripting
| Package(s): | drupal-date | CVE #(s): | |||||||||||||||||
| Created: | July 31, 2009 | Updated: | September 21, 2009 | ||||||||||||||||
| Description: | From the Fedora advisory: The Date module provides a date CCK field that can be added to any content type. The Date Tools module that is bundled with Date module does not properly escape user input when displaying labels for fields on a content type. A malicious user with the 'use date tools' permission of the Date Tools sub-module, or the 'administer content types' permission could attempt a cross site scripting [1] (XSS) attack when creating a new content type, leading to the user gaining full administrative access. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
firebird: denial of service
| Package(s): | firebird | CVE #(s): | CVE-2009-2620 | ||||||||||||
| Created: | August 3, 2009 | Updated: | September 1, 2009 | ||||||||||||
| Description: | From the Mandriva advisory: src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference (CVE-2009-2620). | ||||||||||||||
| Alerts: |
| ||||||||||||||
firefox: integer overflow
| Package(s): | firefox | CVE #(s): | CVE-2009-2468 | ||||||||||||
| Created: | July 31, 2009 | Updated: | August 5, 2009 | ||||||||||||
| Description: | From the CVE entry: Integer overflow in CoreGraphics in Apple Mac OS X, as used in Mozilla Firefox before 3.0.12, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long text run that triggers a heap-based buffer overflow during font glyph rendering, a related issue to CVE-2009-1194. | ||||||||||||||
| Alerts: |
| ||||||||||||||
firefox: heap overflow in certificate regexp parsing
| Package(s): | firefox | CVE #(s): | CVE-2009-2404 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2009 | Updated: | March 31, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mozilla advisory: Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: compromise of SSL-protected communication
| Package(s): | firefox | CVE #(s): | CVE-2009-2408 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2009 | Updated: | October 5, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mozilla advisory: IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: address spoofing
| Package(s): | firefox xulrunner | CVE #(s): | CVE-2009-2654 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 5, 2009 | Updated: | December 22, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The firefox browser allows attackers to spoof the information in the address bar, facilitating phishing attacks. Fixes are in versions 3.0.13 and 3.5.2. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 5, 2009 | Updated: | August 5, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Firefox 3.5.2 fixes a number of vulnerabilities, two of which are labeled "critical." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin | CVE #(s): | CVE-2009-1862 CVE-2009-1863 CVE-2009-1864 CVE-2009-1865 CVE-2009-1866 CVE-2009-1867 CVE-2009-1868 CVE-2009-1869 CVE-2009-1870 | ||||||||||||||||
| Created: | July 31, 2009 | Updated: | August 7, 2009 | ||||||||||||||||
| Description: | From the Red Hat advisory:
Multiple security flaws were found in the way Flash Player displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, possibly, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-1862, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1868, CVE-2009-1869) A clickjacking flaw was discovered in Flash Player. A specially-crafted SWF file could trick a user into unintentionally or mistakenly clicking a link or a dialog. (CVE-2009-1867) A flaw was found in the Flash Player local sandbox. A specially-crafted SWF file could cause information disclosure when it was saved to the hard drive. (CVE-2009-1870) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-1388 | ||||||||
| Created: | August 4, 2009 | Updated: | August 5, 2009 | ||||||||
| Description: | From the CVE entry: The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.18 does not properly handle simultaneous execution of the do_coredump function, which allows local users to cause a denial of service (deadlock) via vectors involving the ptrace system call and a coredumping thread. | ||||||||||
| Alerts: |
| ||||||||||
nspr, nss:weak hash signatures
| Package(s): | nspr, nss | CVE #(s): | CVE-2009-2409 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 31, 2009 | Updated: | April 28, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Dan Kaminsky found that browsers still accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. NSS now disables the use of MD2 and MD4 algorithms inside signatures by default. (CVE-2009-2409) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pdfedit: multiple vulnerabilities
| Package(s): | pdfedit | CVE #(s): | |||||
| Created: | August 5, 2009 | Updated: | August 5, 2009 | ||||
| Description: | pdfedit contains "several serious remote vulnerabilities"; see this advisory for (minimal) further information. | ||||||
| Alerts: |
| ||||||
php4-eaccelerator: arbitrary code execution
| Package(s): | php4-eaccelerator | CVE #(s): | CVE-2009-2353 | ||||
| Created: | August 3, 2009 | Updated: | August 5, 2009 | ||||
| Description: | From the Mandriva advisory: encoder.php in eAccelerator allows remote attackers to execute arbitrary code by copying a local executable file to a location under the web root via the -o option, and then making a direct request to this file, related to upload of image files (CVE-2009-2353). | ||||||
| Alerts: |
| ||||||
sssd: privilege escalation
| Package(s): | sssd | CVE #(s): | CVE-2009-2410 | ||||
| Created: | July 30, 2009 | Updated: | August 5, 2009 | ||||
| Description: | From the Fedora alert: If a user was added to the SSSD BE database without setting a password, the user could ssh to the SSSD configured client and enter any password to gain access. This update resolves this issue so users with no password set are no longer able to login. | ||||||
| Alerts: |
| ||||||
wordpress: cross-site scripting
| Package(s): | wordpress | CVE #(s): | |||||||||||||||||
| Created: | August 5, 2009 | Updated: | August 7, 2009 | ||||||||||||||||
| Description: | Wordpress prior to version 2.8.2 contains a cross-site scripting vulnerability associated with comment author URLs. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
xml-security-c: authentication bypass
| Package(s): | xml-security-c | CVE #(s): | CVE-2009-0217 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 31, 2009 | Updated: | June 4, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>