Security
LPC: Three sessions from the security track
The Linux Plumbers Conference (LPC) had a full-day security track with talks on multiple topics of interest—far too many to adequately cover. So, just a few of the talks will be looked at here. Some of the other presentations will likely serve as the basis for other articles on this page in the future.
SELinux in Ubuntu
Caleb Case reported on the status of SELinux in Ubuntu. Since Ubuntu already uses AppArmor, one of the obvious questions was: why would Ubuntu add SELinux? Case said that users were asking for it and that having more options for running SELinux (beyond Fedora/RHEL) was desirable. Ubuntu has had SELinux available to install since Hardy Heron (8.04), but it has many more policy modules enabled in Jaunty (9.04) and Karmic (soon to be released 9.10).
The SELinux policy "needs work
", Case said, and SELinux in
Ubuntu is "not nearly as slick
" as it is in Fedora, but it is
a work in progress. Users can now do an apt-get install selinux,
which will pull in everything that is needed and uninstall AppArmor. The
installation updates initramfs, installs the policy, and schedules
a system relabel.
Policy is loaded from initramfs instead of via a patched init as has been done in the past. The upstart maintainers did not want to carry a patch to do policy loading, as they didn't want to have to patch for each and every Linux Security Module (LSM) that came along. As it turns out, loading from initramfs is becoming the popular option. Fedora is doing that via dracut and someone from the AppArmor team spoke up to note that it had switched over to loading policy from initramfs as well.
In the future, Case would like to see setroubleshoot added to
Ubuntu and integrated with the desktop. They would like to enable more
policy modules by default, so setroubleshoot would come in handy.
Case said that the Ubuntu policy has fewer confined daemons than Fedora
does, and that the reference policy has not been changed anywhere near as
much as it has for Fedora. He invited the audience to "check it out,
[and] see if it works, or doesn't
" and joked that bugs should be
submitted to Red Hat's Dan Walsh.
Smack and applications
Smack developer Casey Schaufler presented a look at application changes needed to support Smack on Linux. He started with a brief overview of Smack, including some newer information on packet labeling that can be used by Smack to enforce various controls on network traffic.
Not many changes were required to core applications to support Smack. Things like ls, id, and attr needed to change to show the Smack labels, while login required changes to set the Smack label on the user's login shell. mount needed to support some Smack-specific options for setting default labels on filesystems, and a new utility, newsmack—an administrative tool that is used for setting smack labels on processes and files—was added.
For network applications, sshd needed to be changed to handle the labeling of the login shell. To support network services running at different labels, an xinetd-like utility called smackpolyport was created. It listens at the '*' label and can spawn services running with other labels to enforce network access restrictions. There is also work in progress on adding a Smack extension to the X Access Control Extension (XACE). There is more work to be done to integrate Smack into window managers as well as things like D-Bus, he said.
Schaufler has a habit of tweaking the SELinux development community as part of his talks, and he continued that tradition at LPC. He was discussing his work on making Smack work with the Oracle 11gR1 database server, and one of the criteria he noted was that it did not work with SELinux. In fact, the first step in the installation guide is to turn off SELinux. Some grumbling from the SELinux developers was heard in response to that, with the indication that it was possible—perhaps even unofficially working—but there is no public information on how to run Oracle with SELinux. Schaufler then went through the, fairly simple, steps he took to make Oracle and Smack work together.
Someone asked Schaufler if Smack had been integrated into any distributions. He said that Wind River listed Smack in one of its brochures, and someone from Wind River piped up to say that it was in versions 2.0 and 3.0 of its Linux product. Schaufler also noted that Philips televisions are, or will be soon, running Smack.
Why policy is special
Joshua Brindle looked at the interaction between package managers and SELinux policies, noting that installing policies is very different than application installation. There are policies available for more than 290 applications currently that are typically packaged by distributions, often after some customization is done. For rpm-based distributions, policies get loaded via post-script sections, which can lead to problems that require user intervention if the policy module fails to load.
In addition, third-parties (like Oracle) have a hard time supporting
policies for their packages, he said. There are "numerous
hacks
" to support policy loading. In general, policies just do not
fit well into the current application installation model.
Policy is different because it potentially affects the entire system, unlike an application. Policies should be loaded before the applications they affect, or else there is a window in which the application is present, but the labels and policies have not been changed. If the policy fails to load, the application should not be installed, but under the current system, there is no way for rpm to roll the installation back if the post-script section fails.
Policies may also affect multiple applications and their interactions. In
many cases, the policy should not be removed if the application is, because
there may be user data that is protected by that policy. In addition,
other applications may require the policies to be present so they can
access the data. So, Brindle said,
a new approach is needed. The goal of that work is to include the policy
with the distribution package such that policies are installed first,
"without hacks
", and are part of the installation transaction,
so they can be rolled back in the case of failure.
Brindle outlined additional goals of this work, which is initially targeted
at rpm: supporting various corner cases like cross-installs and
bootstrap installs. Helping third-parties distribute policies for their
applications is also an explicit goal, so there needs to be support for
multiple policies and policy types (e.g. targeted), as well as support for different
distributions and releases. Overall, he summed up the goals as trying to
"make life with SELinux easier
".
The initial patch to rpm adds policy loading support before the transaction. A second patch changes the %Policy directive to support policy renaming as well as allowing policies to obsolete one another. In addition, the changes to the %Policy directive allow for different policies based on the policy type of the system. Additional patches will support bootstrapping and chroot() installations. Those patches will also add the policies to the rpm database, which will allow the user to change the system policy type while giving rpm the information it needs to install the proper policy.
There is more work to be done, of course. One area that needs to be addressed is how to inform the administrator of policy changes that are being done by a package. Packages from dubious sources could install policies that have the effect of disabling some or all SELinux protections, so administrators need to be informed. There may be support added for differing levels of trust based on where the package file came from, so that administrators can enforce restrictions on what kind of policies packages can install.
Other talks
The most popular attendee was clearly the AVC cow, which made an appearance in Eamon Walsh's demo of XACE. The cow popped up whenever there was an AVC denial from SELinux, which led to calls for more violations so the cow would pop up again. As Dan Walsh (no relation) noted in his blog linked above, it is proof that at least some folks at the NSA (where Eamon Walsh works) have a sense of humor.
Other talks in the track were Dan Walsh's presentation on "sandbox -X", a look at the kernel crypto subsystem by Herbert Xu, David Safford on using the Integrity Management Architecture (IMA), James Carter on a new SELinux policy infrastructure, and a discussion of how to make SELinux easier to use led by Bryan Jacobson. The slides for each of the talks are available on the LPC Program page. There was a fair amount of audience participation, both in terms of questions and suggestions, throughout the sessions; very much in keeping with the mission of LPC. Overall, it was a very useful track for anyone trying to keep up with security in Linux.
Brief items
ClamAV 0.94.x end of life - with prejudice
The ClamAV project has announced the end of support for version 0.94.x - and that doesn't mean just stopping updates. "Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year. This move is needed to push more people to upgrade to 0.95 . We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV." Upgrading to a recent version seems like a good idea for those who depend on ClamAV.
New vulnerabilities
backuppc: privilege escalation
| Package(s): | backuppc | CVE #(s): | CVE-2009-3369 | ||||||||||||||||
| Created: | October 1, 2009 | Updated: | October 27, 2009 | ||||||||||||||||
| Description: | From the Mandriva alert:
CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
elinks: off-by-one buffer overflow
| Package(s): | elinks | CVE #(s): | CVE-2008-7224 | ||||||||||||||||||||||||
| Created: | October 2, 2009 | Updated: | October 30, 2009 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-2903 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 5, 2009 | Updated: | February 19, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: When the handle_ip_over_ddp() function checks for the "ipddp0" device and the device is not found, the function does not free the socket buffer structure (skb), leading to a memory leak. This only happens if you have the appletalk module loaded, but not the ipddp module, as this only happens when the "ipddp0" device does not exist. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2009-3001 CVE-2009-3002 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 5, 2009 | Updated: | February 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry:
1) NET: llc, zero sockaddr_llc struct sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc before copying to the above layer's structure. http://git.kernel.org/linus/3480c63bdf008e9289aab94418f43b9592978fff http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc http://milw0rm.com/exploits/9513 Note that LLC sockets are restricted to root since v2.6.25-rc9 (see commit 3480c63b). 2) can: Fix raw_getname() leak raw_getname() can leak 10 bytes of kernel memory to user http://git.kernel.org/linus/e84b90ae5eb3c112d1f208964df1d8156a538289 Note that this was introduced in v2.6.25-rc1. 3) irda: Fix irda_getname() leak irda_getname() can leak kernel memory to user. http://git.kernel.org/linus/09384dfc76e526c3993c09c42e016372dc9dd22c 4) appletalk: fix atalk_getname() leak atalk_getname() can leak 8 bytes of kernel memory to user http://git.kernel.org/linus/3d392475c873c10c10d6d96b94d092a34ebd4791 http://milw0rm.com/exploits/9521 5) netrom: Fix nr_getname() leak nr_getname() can leak kernel memory to user. http://git.kernel.org/linus/f6b97b29513950bfbf621a83d85b6f86b39ec8db 6) econet: Fix econet_getname() leak econet_getname() can leak kernel memory to user. http://git.kernel.org/linus/80922bbb12a105f858a8f0abb879cb4302d0ecaa 7) rose: Fix rose_getname() leak rose_getname() can leak kernel memory to user. http://git.kernel.org/linus/17ac2e9c58b69a1e25460a568eae1b0dc0188c25 CVE request: http://article.gmane.org/gmane.comp.security.oss.general/2029 http://article.gmane.org/gmane.comp.security.oss.general/2033 | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-4609 | ||||
| Created: | October 2, 2009 | Updated: | October 7, 2009 | ||||
| Description: | From the SUSE advisory:
Outpost24 AB researchers Robert E. Lee and Jack C. Louis have found
TCP/IP denial of service vulnerabilities which allow remote attackers
to allocate resources (memory and socket slots) on a targeted system
indefinitely and so may cause a denial of the services on the
attacked machine.
The attack requires the attacker to be able to establish TCP/IP connections on the machine. If all incoming connections are blocked, the system is not affected. | ||||||
| Alerts: |
| ||||||
openoffice.org: arbitrary code execution
| Package(s): | openoffice.org | CVE #(s): | CVE-2009-2139 | ||||||||||||||||
| Created: | October 2, 2009 | Updated: | May 24, 2010 | ||||||||||||||||
| Description: | From the Ubuntu advisory: A memory overflow flaw was discovered in OpenOffice.org's handling of EMF files. If a user were tricked into opening a specially crafted document, a remote attacker might be able to execute arbitrary code with user privileges. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
samba: several vulnerabilities
| Package(s): | samba | CVE #(s): | CVE-2009-2813 CVE-2009-2906 CVE-2009-2948 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 2, 2009 | Updated: | March 10, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
J. David Hester discovered that Samba incorrectly handled users that lack home directories when the automated [homes] share is enabled. An authenticated user could connect to that share name and gain access to the whole filesystem. (CVE-2009-2813) Tim Prouty discovered that the smbd daemon in Samba incorrectly handled certain unexpected network replies. A remote attacker could send malicious replies to the server and cause smbd to use all available CPU, leading to a denial of service. (CVE-2009-2906) Ronald Volgers discovered that the mount.cifs utility, when installed as a setuid program, would not verify user permissions before opening a credentials file. A local user could exploit this to use or read the contents of unauthorized credential files. (CVE-2009-2948) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
strongswan: multiple vulnerabilities
| Package(s): | strongswan | CVE #(s): | CVE-2009-1957 CVE-2009-1958 CVE-2009-2661 | ||||||||||||
| Created: | October 5, 2009 | Updated: | November 10, 2009 | ||||||||||||
| Description: | From the Debian advisory: CVE-2009-1957, CVE-2009-1958: The charon daemon can crash when processing certain crafted IKEv2 packets. CVE-2009-2661: The pluto daemon could crash when processing a crafted X.509 certificate. | ||||||||||||||
| Alerts: |
| ||||||||||||||
wget: man in the middle attack
| Package(s): | wget | CVE #(s): | CVE-2009-3490 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 6, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that Wget did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
xen: guest privilege escalation
| Package(s): | xen | CVE #(s): | CVE-2009-3525 | ||||||||||||
| Created: | October 2, 2009 | Updated: | May 25, 2010 | ||||||||||||
| Description: | From the Red Hat advisory: The pyGrub boot loader did not honor the "password" option in the grub.conf file for para-virtualized guests. Users with access to a guest's console could use this flaw to bypass intended access restrictions and boot the guest with arbitrary kernel boot options, allowing them to get root privileges in the guest's operating system. With this update, pyGrub correctly honors the "password" option in grub.conf for para-virtualized guests. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>