Security
Attacks against WordPress installations
The WordPress content management system (CMS) has been in the news lately—for reasons the project and its users would probably rather not see—as there have been a rash of attacks against older versions of WordPress. At least one high-profile blogger, Robert Scoble, succumbed to the attack, posting that he no longer felt safe with WordPress. Various others also piled on, but the problem that was being exploited had been fixed in early August; the affected sites just hadn't upgraded.
Keeping up with security updates can be time-consuming, especially for relatively non-technical users who are hosting a CMS site simply to provide themselves a place to blog. One could easily argue that those kinds of users would be best served by using one of the free services available for such things. But, those services tend to have fewer features—often to encourage upgrading to a subscription-based support plan—leaving bloggers who want the latest shiny features to host WordPress (or other similar CMS programs) themselves.
At least for WordPress, many of those shiny features come as plugins to the CMS engine. When security updates are made, changes required for the plugins may very well lag behind. Even if the upgrade wouldn't affect the plugins at all, concerns over that happening led various folks, including Scoble, to wait a while before upgrading:
In the comments on Scoble's blog posting (where the above quote comes from), as well as in a conversation on his FriendFeed, it is clear that numerous other folks have run into similar problems with attacks as well as issues with upgrades. WordPress developer Matt Mullenweg has numerous comments on Scoble's complaints, and his suggestions are fairly obvious: update immediately when there are outstanding security patches and, if that's not possible, consider moving to a managed provider (possibly WordPress.com, the commercial side of WordPress development).
Mullenweg's advice is good, but it would also seem that the WordPress project could be doing more to highlight security issues. The project home page lacks obvious links for security information—though it currently has a link to Mullenweg's How to Keep WordPress Secure posting—and searching for "security" on the site does not bring up any centralized location for that kind of information. It is probably just an oversight, but even the "Security" category on the WordPress blog does not contain the 2.8.3 announcement, which is the release that fixes the problem being exploited.
For a new, or casual, WordPress user, it would certainly seem possible that they might miss these security announcements. The WordPress software will alert the user that there are updates available—and there is an email list for new release notification—but there numerous ways to add content to a WordPress blog without logging into the administrative interface, so the alerts may be missed. It's clear that Mullenweg takes security seriously based on his comments, but that message may not be getting out to the WordPress faithful.
The actual bug that is being exploited is a run-of-the-mill privilege escalation flaw. While the bug itself may be pedestrian, the consequences are not, as Scoble and others found. Scoble's situation was exacerbated by not having any backups (!), but the bigger problem is how to get the system back to a "safe" state after it has been exploited. Depending on how WordPress was installed, the only safe way to restore a cracked system may be to reinstall the entire operating system. These kinds of attacks can leave various back doors behind that stay active even after WordPress itself has been upgraded.
The point is not to pick on WordPress, or even CMS programs in general, but to note a general problem. There is a tension between the fear of upgrading and the fear of an attack, and many users fear the former much more than the latter. WordPress has made great strides in simplifying the upgrade process, but it still has the potential to break things—especially in plugins that are completely outside of the project's control. As it turns out, the privilege escalation vulnerability was related to how certain plugins' administration pages were handled.
Web application security is hard. It is harder still when trying to create a general purpose web application platform, particularly one that allows plugins to fairly arbitrarily change its behavior. This is certainly not the last attack against WordPress or CMS programs that we will see. It is definitely in the best interest of these projects and their users to pay close attention to security issues as they arise.
Brief items
WordPress Blog: How to Keep WordPress Secure
Here's an entry on the WordPress Blog on keeping installations secure - a topic WordPress administrators should be especially concerned about at the moment. "Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."
Deep packet inspection engine goes open source (ars technica)
Ars technica looks at a free software release of deep packet inspection (DPI) code from ipoque. At least part of the motivation for releasing the code is to allay fears that ipoque's DPI hardware is digging into the actual content, rather than the packet formats and timing, of encrypted traffic, but this release may not succeed in doing that: "The OpenDPI engine, released under the LGPL license, differs from ipoque's commercial scanning engine in its high-priced DPI hardware. The open-source version is much slower and (more importantly) doesn't reveal ipoque's methods for identifying encrypted transmissions. DPI vendors all claim high levels of success at identifying such traffic based on the flow patterns and handshake signatures common to protocols like BitTorrent and Skype, even if they cannot crack the encryption and examine the content of those transmissions."
Security reports
Enterprise Linux 5.3 to 5.4 risk report
Red Hat's director of security response, Mark J. Cox, has released another of his risk reports, this one looking at the security updates between RHEL 5.3 and 5.4. He notes that of the nine vulnerabilities of "critical" severity in that time, seven were for Firefox. It is interesting to note that the three NULL pointer vulnerabilities for the kernel were not rated as critical as they were not remotely exploitable. He also points out that three flaws which would have required critical updates, instead required no update—or in one case a low severity update for a denial of service—due to various mitigations (FORTIFY_SOURCE and hardened malloc/free) present in RHEL.
New vulnerabilities
cmus: temporary file vulnerability
| Package(s): | cmus | CVE #(s): | CVE-2008-5375 | ||||
| Created: | September 9, 2009 | Updated: | September 9, 2009 | ||||
| Description: | The cmus (C* Music) player suffers from a temporary file vulnerability; 2.2.0-r1 contains the fix. | ||||||
| Alerts: |
| ||||||
cyrus-imapd: buffer overflow
| Package(s): | cyrus-imapd | CVE #(s): | CVE-2009-2632 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 8, 2009 | Updated: | October 24, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: It was discovered that the SIEVE component of cyrus-imapd, a highly scalable enterprise mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. Due to incorrect use of the sizeof() operator an attacker is able to pass a negative length to snprintf() calls resulting in large positive values due to integer conversion. This causes a buffer overflow which can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
devscripts: missing input sanitation
| Package(s): | devscripts | CVE #(s): | CVE-2009-2946 | ||||||||||||||||
| Created: | September 3, 2009 | Updated: | October 9, 2009 | ||||||||||||||||
| Description: | From the Debian alert: Raphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. This update addresses this issue by reimplementing the relevant Perl operators without relying on the Perl interpreter, trying to preserve backwards compatibility as much as possible. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
gccxml: temporary file vulnerability
| Package(s): | gccxml | CVE #(s): | CVE-2008-4957 | ||||
| Created: | September 9, 2009 | Updated: | September 9, 2009 | ||||
| Description: | The GCC-XML utility suffers from a temporary file vulnerability. | ||||||
| Alerts: |
| ||||||
lmbench: temporary file vulnerability
| Package(s): | lmbench | CVE #(s): | CVE-2008-4968 | ||||
| Created: | September 9, 2009 | Updated: | September 9, 2009 | ||||
| Description: | The lmbench utility contains multiple temporary file vulnerabilities. There does not appear to be a fix available; Gentoo has responded by removing lmbench from its repository entirely. | ||||||
| Alerts: |
| ||||||
openoffice.org: integer underflow, boundary error
| Package(s): | openoffice.org | CVE #(s): | CVE-2009-0200 CVE-2009-0201 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 4, 2009 | Updated: | May 24, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An integer underflow flaw and a boundary error flaw, both possibly leading to a heap-based buffer overflow, were found in the way OpenOffice.org parses certain records in Microsoft Word documents. An attacker could create a specially-crafted Microsoft Word document, which once opened by an unsuspecting user, could cause OpenOffice.org to crash or, potentially, execute arbitrary code with the permissions of the user running OpenOffice.org. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
pam: authentication bypass
| Package(s): | pam | CVE #(s): | |||||
| Created: | September 9, 2009 | Updated: | September 9, 2009 | ||||
| Description: | From the Ubuntu advisory: Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. | ||||||
| Alerts: |
| ||||||
qt: man-in-the-middle attack
| Package(s): | qt | CVE #(s): | CVE-2009-2700 | ||||||||||||||||||||||||
| Created: | September 3, 2009 | Updated: | February 3, 2010 | ||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408." | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
screenie: temporary file vulnerability
| Package(s): | screenie | CVE #(s): | CVE-2008-5371 | ||||
| Created: | September 9, 2009 | Updated: | September 9, 2009 | ||||
| Description: | Versions of screenie prior to 1.30.0-r1 contain a temporary file vulnerability. | ||||||
| Alerts: |
| ||||||
silc: several vulnerabilities
| Package(s): | silc-client/silc-toolkit | CVE #(s): | CVE-2008-7159 CVE-2008-7160 CVE-2009-3051 | ||||||||||||||||||||||||||||||||||||
| Created: | September 4, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases (CVE-2008-7159). Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings (CVE-2009-3051). An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases (CVE-2008-7160). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
tkman: symbolic link vulnerability
| Package(s): | tkman | CVE #(s): | CVE-2008-5137 | ||||
| Created: | September 9, 2009 | Updated: | September 9, 2009 | ||||
| Description: | Versions of tkman prior to 2.2-r1 suffer from a symbolic link vulnerability. | ||||||
| Alerts: |
| ||||||
xemacs: multiple buffer overflows
| Package(s): | xemacs | CVE #(s): | CVE-2009-2688 | ||||||||||||
| Created: | September 4, 2009 | Updated: | June 3, 2010 | ||||||||||||
| Description: | From the Fedora advisory: This update fixes multiple buffer overflows when reading large image files, or maliciously created image files whose headers misrepresent the actual image size. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>